From 3060af6bff9d438dccbef80692567c2127b8c5c4 Mon Sep 17 00:00:00 2001
From: Connor Lake <vertoforce@gmail.com>
Date: Fri, 22 Feb 2019 13:40:50 -0600
Subject: [PATCH] Started work on loading dashboards

---
 README.md                                     |   1 +
 docker-compose.yaml                           |   9 +
 .../6d272a20-7319-11e8-9f32-cf7527ac183d.json | 209 +++++++++++
 .../8e8ec8e0-d27c-11e8-b129-a1f6f7111a75.json | 198 +++++++++++
 ...-11e8-b129-a1f6f7111a75_fieldFormatMap.txt | 156 +++++++++
 ...8e0-d27c-11e8-b129-a1f6f7111a75_fields.txt | 328 ++++++++++++++++++
 .../99d1b510-72b3-11e8-9159-894bd7d62352.json | 236 +++++++++++++
 ...-11e8-9159-894bd7d62352_fieldFormatMap.txt | 104 ++++++
 ...510-72b3-11e8-9159-894bd7d62352_fields.txt | 121 +++++++
 .../ac6e6490-3021-11e8-9faf-f77fbc81a50d.json | 105 ++++++
 ...-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt |  32 ++
 ...490-3021-11e8-9faf-f77fbc81a50d_fields.txt | 223 ++++++++++++
 .../ba531340-2f17-11e8-9faf-f77fbc81a50d.json | 149 ++++++++
 ...-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt |  32 ++
 ...340-2f17-11e8-9faf-f77fbc81a50d_fields.txt | 176 ++++++++++
 .../timelineplaso/dashboard/Plaso-Timeline    |  13 +
 .../timelineplaso/search/TL-Domain_Ctrl_Auth  |  16 +
 .../timelineplaso/search/TL-Group_Changes     |  16 +
 .../search/TL-Logon_Session_Evts              |  16 +
 .../timelineplaso/search/TL-Member_Changes    |  16 +
 .../timelineplaso/search/TL-Powershell-All    |  16 +
 .../timelineplaso/search/TL-User_Acct_Changes |  16 +
 .../dashboards/timelineplaso/search/TL-atime  |  16 +
 .../dashboards/timelineplaso/search/TL-ctime  |  16 +
 .../timelineplaso/search/TL-has-path          |  16 +
 .../dashboards/timelineplaso/search/TL-mtime  |  16 +
 .../visualization/TL-Domain_Ctrl_Auth         |  11 +
 .../timelineplaso/visualization/TL-Event-Data |  10 +
 .../visualization/TL-Events-over-time         |  10 +
 .../visualization/TL-FN-and-EventID           |  10 +
 .../visualization/TL-Group_Changes            |  11 +
 .../visualization/TL-Logon_Session_Evts       |  11 +
 .../visualization/TL-Mark-AllEventIDs         |  10 +
 .../visualization/TL-Markup-Powershell        |  10 +
 .../visualization/TL-Member_Changes           |  11 +
 .../visualization/TL-Powershell_all           |  11 +
 .../visualization/TL-Users-over-time          |  10 +
 .../timelineplaso/visualization/TL-mark-group |  10 +
 .../timelineplaso/visualization/TL-mark-user  |  10 +
 .../supporting-scripts/load_all_dashboards.sh |  16 +-
 startup/Dockerfile                            |  12 +
 startup/startup.sh                            |  10 +
 42 files changed, 2418 insertions(+), 7 deletions(-)
 create mode 100644 sof-elk/dashboards/6d272a20-7319-11e8-9f32-cf7527ac183d.json
 create mode 100644 sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75.json
 create mode 100644 sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fieldFormatMap.txt
 create mode 100644 sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fields.txt
 create mode 100644 sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352.json
 create mode 100644 sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fieldFormatMap.txt
 create mode 100644 sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fields.txt
 create mode 100644 sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d.json
 create mode 100644 sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt
 create mode 100644 sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fields.txt
 create mode 100644 sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d.json
 create mode 100644 sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt
 create mode 100644 sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fields.txt
 create mode 100644 sof-elk/dashboards/timelineplaso/dashboard/Plaso-Timeline
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-Domain_Ctrl_Auth
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-Group_Changes
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-Logon_Session_Evts
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-Member_Changes
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-Powershell-All
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-User_Acct_Changes
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-atime
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-ctime
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-has-path
 create mode 100644 sof-elk/dashboards/timelineplaso/search/TL-mtime
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Domain_Ctrl_Auth
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Event-Data
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Events-over-time
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-FN-and-EventID
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Group_Changes
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Logon_Session_Evts
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Mark-AllEventIDs
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Markup-Powershell
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Member_Changes
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Powershell_all
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-Users-over-time
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-mark-group
 create mode 100644 sof-elk/dashboards/timelineplaso/visualization/TL-mark-user
 create mode 100644 startup/Dockerfile
 create mode 100644 startup/startup.sh

diff --git a/README.md b/README.md
index 71c5e69..f73b4cd 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ The following steps were taken to set up sof-elk from the sof-elk config repo
 * Copied `sof-elk/conffiles` to `sof-elk/conffiles`
 * Copied `sof-elk/grok-patterns` to `sof-elk/grok-patterns`
 * Copied `sof-elk/supporting-scripts` to `sof-elk/supporting-scrips`
+* Copied `sof-elk/dashboards` to `sof-elk/dashboards`
 * Copied `lsplugins` from `sof-elk/supporting-scripts/ls_plugin_update.sh` to the plugin install command in the docker-compose.yaml for logstash
 * Added `logspout.conf` to `sof-elk/conffiles` for logspout
 * Changed all `sof-elk/conffiles/*output*` to contain this output line (for correct elasticsearch host)
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 2be0da9..5eb3ac4 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -34,6 +34,15 @@ services:
     #         - "traefik.enable=true"
     #         - "traefik.port=9000"
 
+    # Startup to run scripts needed to set up sof-elk
+    starter:
+        image: vertoforce/sof-elk-starter
+        build: startup
+        volumes:
+            - ./sof-elk:/sof-elk
+        networks:
+            - master
+
     # ELK
     elasticsearch:
         image: library/elasticsearch:6.5.0
diff --git a/sof-elk/dashboards/6d272a20-7319-11e8-9f32-cf7527ac183d.json b/sof-elk/dashboards/6d272a20-7319-11e8-9f32-cf7527ac183d.json
new file mode 100644
index 0000000..743aef6
--- /dev/null
+++ b/sof-elk/dashboards/6d272a20-7319-11e8-9f32-cf7527ac183d.json
@@ -0,0 +1,209 @@
+{
+  "version": "6.5.3",
+  "objects": [
+    {
+      "id": "bdecdc70-731e-11e8-9f32-cf7527ac183d",
+      "type": "visualization",
+      "attributes": {
+        "title": "SOF-ELK® VM Intro",
+        "visState": "{\"title\":\"SOF-ELK® VM Intro\",\"type\":\"markdown\",\"params\":{\"fontSize\":11,\"openLinksInNewTab\":false,\"markdown\":\"## Welcome to the SOF-ELK® (Security Operations and Forensics Elasticsearch/Logstash/Kibana) distribution\\n\\nThis VMware image was created with a fully functional ELK configuration.  The VM will ingest various log formats, and includes several dashboards to present the data in useful formats.  While this version of the VM was created specifically for the SANS DFIR FOR572 class, it is maintained as community resource.\\n\\nSee the blocks at the bottom of this page to learn more about which types of data the VM is preconfigured to ingest and how to feed it.\"},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        }
+      }
+    },
+    {
+      "id": "f8529370-3023-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "Syslog Count",
+        "visState": "{\"title\":\"Syslog Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Syslog Records\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+        }
+      }
+    },
+    {
+      "id": "fc97bf70-2f2c-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Log Count",
+        "visState": "{\"title\":\"HTTPD Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"HTTPD Records\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "b9aee980-746f-11e8-b583-8357aefbc6ed",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Count",
+        "visState": "{\"title\":\"NetFlow Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"NetFlow Records\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"netflow\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "2ddd09e0-7470-11e8-b583-8357aefbc6ed",
+      "type": "visualization",
+      "attributes": {
+        "title": "Syslog Collected",
+        "visState": "{\"title\":\"Syslog Collected\",\"type\":\"table\",\"params\":{\"perPage\":7,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Records\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":7,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"logstash\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "820f2570-7470-11e8-b583-8357aefbc6ed",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Logs Collected",
+        "visState": "{\"title\":\"HTTPD Logs Collected\",\"type\":\"table\",\"params\":{\"perPage\":7,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Records\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":7,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"httpdlog\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "28d920a0-7489-11e8-b583-8357aefbc6ed",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Collected",
+        "visState": "{\"title\":\"NetFlow Collected\",\"type\":\"table\",\"params\":{\"perPage\":7,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Source\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":7,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Records\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"netflow\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "ea84ac10-7510-11e8-b583-8357aefbc6ed",
+      "type": "visualization",
+      "attributes": {
+        "title": "Syslog Intro",
+        "visState": "{\"title\":\"Syslog Intro\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"openLinksInNewTab\":false,\"markdown\":\"Use the [Syslog Dashboard](#/dashboard/ac6e6490-3021-11e8-9faf-f77fbc81a50d) to explore this data\\n\\nSyslog data is loaded via the following methods:\\n* Files in the `/logstash/syslog/` directory.\\n  * NOTE: Create e.g. `/logstash/syslog/2015/` for files that should be loaded as if they are from the year 2015.\\n* Network syslog messages sent to UDP or TCP port 5514\\n  * NOTE: Open the firewall ports using the `fw_modify.sh` script.  For example:\\n    * `fw_modify.sh -a open -p 5514 -r udp`\\n    * `fw_modify.sh -a open -p 5514 -r tcp`\\n    * [filebeat](https://www.elastic.co/products/beats/filebeat) messages sent to TCP 5044\\n  * NOTE: Open the firewall ports using the `fw_modify.sh` script.  For example:\\n    * `fw_modify.sh -a open -p 5044 -r tcp`\\n    * Network RELP messages sent to TCP 5516\\n  * NOTE: Open firewall ports using the `fw_modify.sh` script.  For example:\\n    * `fw_modify.sh -a open -p 5516 -r tcp`\"},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        }
+      }
+    },
+    {
+      "id": "36c823e0-7511-11e8-b583-8357aefbc6ed",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Intro",
+        "visState": "{\"title\":\"NetFlow Intro\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"openLinksInNewTab\":false,\"markdown\":\"Use the [NetFlow Dashboard](#/dashboard/99d1b510-72b3-11e8-9159-894bd7d62352) to explore this data\\n\\nNetFlow data is loaded via the following methods:\\n* Files in the `/logstash/nfarch/` directory.\\n  * NOTE: Files must be in CSV format, created with the supplied `nfdump2sof-elk.sh` script: `nfdump2sof-elk.sh [-e <exporter ip address>] -r <path to nfcapd-based netflow data>`\\n* NetFlow v5 network messages sent to UDP port 9995\\n  * NOTE: Open the firewall ports using the `fw_modify.sh` script.  For example:\\n    * `fw_modify.sh -a open -p 9995 -r udp`\"},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        }
+      }
+    },
+    {
+      "id": "57704730-7511-11e8-b583-8357aefbc6ed",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Log Intro",
+        "visState": "{\"title\":\"HTTPD Log Intro\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"openLinksInNewTab\":false,\"markdown\":\"Use the [HTTPD Log Dashboard](#/dashboard/ba531340-2f17-11e8-9faf-f77fbc81a50d) to explore this data\\n\\nHTTPD log data is loaded via the following methods:\\n* Files in the `/logstash/httpd/` directory\\n  * NOTE: Logs in the Common, Combined, and Combined + VHost formats are currently supported\\n* Network syslog messages sent to UDP or TCP port 5515\\n  * NOTE: Open the firewall ports using the `fw_modify.sh` script.  For example:\\n    * `fw_modify.sh -a open -p 5515 -r udp`\\n    * `fw_modify.sh -a open -p 5515 -r tcp`\\n* Network RELP messages sent to TCP 5517\\n  * NOTE: Open firewall ports using the `fw_modify.sh` script.  For example:\\n    * `fw_modify.sh -a open -p 5517 -r tcp`\"},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        }
+      }
+    },
+    {
+      "id": "98309f20-8873-11e8-b4c2-17db52b8990d",
+      "type": "visualization",
+      "attributes": {
+        "title": "SOF-ELK®",
+        "visState": "{\"title\":\"SOF-ELK®\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"![SOF-ELK Logo](/plugins/kibana/assets/sof-elk.svg)\"},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        }
+      }
+    },
+    {
+      "id": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+      "type": "search",
+      "attributes": {
+        "title": "Syslog Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "syslog_hostname",
+          "syslog_program",
+          "message"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\n  \"index\": \"logstash\",\n  \"highlightAll\": true,\n  \"version\": true,\n  \"query\": {\n    \"query\": \"\",\n    \"language\": \"lucene\"\n  },\n  \"filter\": []\n}"
+        }
+      }
+    },
+    {
+      "id": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+      "type": "search",
+      "attributes": {
+        "title": "HTTPD Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "source_ip",
+          "request_method",
+          "hostname",
+          "request",
+          "response_code"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"httpdlog\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
+        }
+      }
+    },
+    {
+      "id": "6d272a20-7319-11e8-9f32-cf7527ac183d",
+      "type": "dashboard",
+      "attributes": {
+        "title": "SOF-ELK® VM Introduction Dashboard",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":21,\"y\":0,\"w\":27,\"h\":11,\"i\":\"1\"},\"embeddableConfig\":{},\"id\":\"bdecdc70-731e-11e8-9f32-cf7527ac183d\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":6,\"i\":\"2\"},\"embeddableConfig\":{},\"id\":\"f8529370-3023-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":32,\"y\":11,\"w\":16,\"h\":6,\"i\":\"3\"},\"embeddableConfig\":{},\"id\":\"fc97bf70-2f2c-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":16,\"y\":11,\"w\":16,\"h\":6,\"i\":\"4\"},\"embeddableConfig\":{},\"id\":\"b9aee980-746f-11e8-b583-8357aefbc6ed\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":17,\"w\":16,\"h\":14,\"i\":\"5\"},\"embeddableConfig\":{},\"id\":\"2ddd09e0-7470-11e8-b583-8357aefbc6ed\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":32,\"y\":17,\"w\":16,\"h\":14,\"i\":\"7\"},\"embeddableConfig\":{},\"id\":\"820f2570-7470-11e8-b583-8357aefbc6ed\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":16,\"y\":17,\"w\":16,\"h\":14,\"i\":\"8\"},\"embeddableConfig\":{},\"id\":\"28d920a0-7489-11e8-b583-8357aefbc6ed\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":31,\"w\":16,\"h\":15,\"i\":\"9\"},\"embeddableConfig\":{},\"id\":\"ea84ac10-7510-11e8-b583-8357aefbc6ed\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":16,\"y\":31,\"w\":16,\"h\":15,\"i\":\"10\"},\"embeddableConfig\":{},\"id\":\"36c823e0-7511-11e8-b583-8357aefbc6ed\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":32,\"y\":31,\"w\":16,\"h\":15,\"i\":\"11\"},\"embeddableConfig\":{},\"id\":\"57704730-7511-11e8-b583-8357aefbc6ed\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":0,\"y\":0,\"w\":21,\"h\":11,\"i\":\"12\"},\"embeddableConfig\":{},\"id\":\"98309f20-8873-11e8-b4c2-17db52b8990d\",\"type\":\"visualization\",\"version\":\"6.3.2\"}]",
+        "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+        }
+      }
+    }
+  ]
+}
diff --git a/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75.json b/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75.json
new file mode 100644
index 0000000..2803ee6
--- /dev/null
+++ b/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75.json
@@ -0,0 +1,198 @@
+{
+  "version": "6.5.3",
+  "objects": [
+    {
+      "id": "ce5fcc50-72b2-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Bytes by Protocol",
+        "visState": "{\"title\":\"NetFlow Bytes by Protocol\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Bytes\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Bytes\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"aprotocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "2b79dfc0-72b3-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Flows by Protocol",
+        "visState": "{\"title\":\"NetFlow Flows by Protocol\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Flows\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Flows\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records_vis\",\"customLabel\":\"Flows\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"aprotocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "652b9e70-72b3-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Packets by Protocol",
+        "visState": "{\"title\":\"NetFlow Packets by Protocol\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Packets\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Packets\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets_vis\",\"customLabel\":\"Packets\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"aprotocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+      "type": "search",
+      "attributes": {
+        "title": "NetFlow Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "exporter",
+          "aprotocol",
+          "source_ip",
+          "source_port",
+          "destination_ip",
+          "destination_port",
+          "total_bytes",
+          "total_packets"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"netflow\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
+        }
+      }
+    },
+    {
+      "id": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+      "type": "search",
+      "attributes": {
+        "title": "Syslog Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "syslog_hostname",
+          "syslog_program",
+          "message"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\n  \"index\": \"logstash\",\n  \"highlightAll\": true,\n  \"version\": true,\n  \"query\": {\n    \"query\": \"\",\n    \"language\": \"lucene\"\n  },\n  \"filter\": []\n}"
+        }
+      }
+    },
+    {
+      "id": "a7b68c60-3022-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "Event Timeline by Severity",
+        "visState": "{\"title\":\"Event Timeline by Severity\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"severity:[0 TO 2]\"},\"label\":\"Emerg/Alert/Crit\"},{\"input\":{\"query\":\"severity:[3 TO 4]\"},\"label\":\"Error/Warning\"},{\"input\":{\"query\":\"severity:[5 TO 6]\"},\"label\":\"Notice/Info\"},{\"input\":{\"query\":\"severity:7\"},\"label\":\"Debug\"},{\"input\":{\"query\":\"NOT(severity:[0 TO 7])\"},\"label\":\"Unknown\"}]}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "68935a70-d2ae-11e8-b129-a1f6f7111a75",
+      "type": "visualization",
+      "attributes": {
+        "title": "Source Map",
+        "visState": "{\"title\":\"Source Map\",\"type\":\"tile_map\",\"params\":{\"colorSchema\":\"Yellow to Red\",\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatClusterSize\":1.5,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.1&license=6447d0c7-8b7a-4cf7-ad0a-b56fd9164ba2\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.1&license=6447d0c7-8b7a-4cf7-ad0a-b56fd9164ba2\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"subdomains\":[]}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"mapZoom\":2,\"mapCenter\":[0,0],\"precision\":2}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
+        }
+      }
+    },
+    {
+      "id": "0f503070-d32e-11e8-b129-a1f6f7111a75",
+      "type": "visualization",
+      "attributes": {
+        "title": "Login Results",
+        "visState": "{\"title\":\"Login Results\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"login_result.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Login Result\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed\":\"#E24D42\",\"Accepted\":\"#7EB26D\"},\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
+        }
+      }
+    },
+    {
+      "id": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+      "type": "search",
+      "attributes": {
+        "title": "HTTPD Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "source_ip",
+          "request_method",
+          "hostname",
+          "request",
+          "response_code"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"httpdlog\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
+        }
+      }
+    },
+    {
+      "id": "netflow",
+      "type": "index-pattern",
+      "attributes": {
+        "timeFieldName": "@timestamp",
+        "title": "netflow-*"
+      }
+    },
+    {
+      "id": "logstash",
+      "type": "index-pattern",
+      "attributes": {
+        "timeFieldName": "@timestamp",
+        "title": "logstash-*"
+      }
+    },
+    {
+      "id": "httpdlog",
+      "type": "index-pattern",
+      "attributes": {
+        "timeFieldName": "@timestamp",
+        "title": "httpdlog-*"
+      }
+    },
+    {
+      "id": "8e8ec8e0-d27c-11e8-b129-a1f6f7111a75",
+      "type": "dashboard",
+      "attributes": {
+        "title": "Login Activity Dashboard",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":0,\"y\":0,\"w\":16,\"h\":11,\"i\":\"1\"},\"id\":\"ce5fcc50-72b2-11e8-9159-894bd7d62352\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.4.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":16,\"h\":11,\"i\":\"2\"},\"id\":\"2b79dfc0-72b3-11e8-9159-894bd7d62352\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.4.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":32,\"y\":0,\"w\":16,\"h\":11,\"i\":\"3\"},\"id\":\"652b9e70-72b3-11e8-9159-894bd7d62352\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.4.1\"},{\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":24,\"w\":48,\"h\":11,\"i\":\"4\"},\"id\":\"fa3332b0-72b0-11e8-9159-894bd7d62352\",\"panelIndex\":\"4\",\"type\":\"search\",\"version\":\"6.4.1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":35,\"w\":48,\"h\":11,\"i\":\"5\"},\"id\":\"e45686d0-3021-11e8-9faf-f77fbc81a50d\",\"panelIndex\":\"5\",\"type\":\"search\",\"version\":\"6.4.1\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":13,\"i\":\"6\"},\"id\":\"a7b68c60-3022-11e8-9faf-f77fbc81a50d\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.4.1\"},{\"embeddableConfig\":{\"mapCenter\":[36.59788913307022,21.796875000000004],\"mapZoom\":1},\"gridData\":{\"x\":26,\"y\":11,\"w\":22,\"h\":13,\"i\":\"7\"},\"id\":\"68935a70-d2ae-11e8-b129-a1f6f7111a75\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.4.1\"},{\"gridData\":{\"x\":16,\"y\":11,\"w\":10,\"h\":13,\"i\":\"8\"},\"version\":\"6.4.1\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"id\":\"0f503070-d32e-11e8-b129-a1f6f7111a75\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":46,\"w\":48,\"h\":10,\"i\":\"9\"},\"version\":\"6.4.1\",\"panelIndex\":\"9\",\"type\":\"search\",\"id\":\"9744c560-2f17-11e8-9faf-f77fbc81a50d\",\"embeddableConfig\":{}}]",
+        "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"SSH Records (TCP/22, sshd)\",\"disabled\":true,\"index\":\"netflow\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"ports\\\":\\\"22\\\"}},{\\\"term\\\":{\\\"syslog_program\\\":\\\"sshd\\\"}}]}}\"},\"query\":{\"bool\":{\"should\":[{\"term\":{\"ports\":\"22\"}},{\"term\":{\"syslog_program\":\"sshd\"}}]}}},{\"query\":{\"bool\":{\"should\":[{\"term\":{\"ports\":\"80\"}},{\"term\":{\"ports\":\"443\"}},{\"term\":{\"syslog_program\":\"httpd\"}}]}},\"meta\":{\"index\":\"netflow\",\"disabled\":true,\"alias\":\"HTTP Records (TCP/80,443, httpd)\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"ports\\\":\\\"80\\\"}},{\\\"term\\\":{\\\"ports\\\":\\\"443\\\"}},{\\\"term\\\":{\\\"syslog_program\\\":\\\"httpd\\\"}}]}}\",\"negate\":false},\"$state\":{\"store\":\"appState\"}}]}"
+        }
+      }
+    }
+  ]
+}
diff --git a/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fieldFormatMap.txt b/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fieldFormatMap.txt
new file mode 100644
index 0000000..c33b12c
--- /dev/null
+++ b/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fieldFormatMap.txt
@@ -0,0 +1,156 @@
+{
+  "in_bytes_vis": {
+    "id": "bytes",
+    "params": {
+      "pattern": "0,0.[0]b"
+    }
+  },
+  "flow_records_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "in_packets_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "@timestamp": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "source_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "destination_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "out_bytes_vis": {
+    "id": "bytes",
+    "params": {
+      "pattern": "0,0.[0]b"
+    }
+  },
+  "out_packets_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "missed_bytes_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "total_packets_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "total_bytes_vis": {
+    "id": "bytes",
+    "params": {
+      "pattern": "0,0.[0]b"
+    }
+  },
+  "total_bytes": {
+    "id": "number"
+  },
+  "total_packets": {
+    "id": "number"
+  },
+  "first_switched": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "last_switched": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "ports": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  }
+}
+{
+  "destination_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "source_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "ports": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "@timestamp": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "source_geo.asnstr": {
+    "id": "string",
+    "params": {
+      "transform": "false"
+    }
+  }
+}
+{
+  "source_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "destination_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "ports": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "@timestamp": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "source_geo.asnstr": {
+    "id": "string",
+    "params": {
+      "transform": "false"
+    }
+  }
+}
diff --git a/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fields.txt b/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fields.txt
new file mode 100644
index 0000000..c7749c2
--- /dev/null
+++ b/sof-elk/dashboards/8e8ec8e0-d27c-11e8-b129-a1f6f7111a75_fields.txt
@@ -0,0 +1,328 @@
+{"name":"@timestamp","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"@version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"_id","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_index","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_score","type":"number","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_source","type":"_source","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"agent","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agent.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.build","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.build.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.device","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.device.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.major","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.major.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.minor","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.minor.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os_major","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os_major.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os_minor","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os_minor.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.patch","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.patch.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_ip_v6","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_ip_v6.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"aprotocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"aprotocol.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"auth_reason","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"auth_reason.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.version.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"cachehits","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"cachehits.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"cookie","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"cookie.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"count","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_as","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.area_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asn.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asnstr","type":"string","count":0,"scripted":true,"script":"if ( !doc.containsKey('destination_geo.asn') || !doc.containsKey('destination_geo.as_org.keyword') ) { return 'ASN: Not Available' } else { return 'ASN' + doc['destination_geo.asn'].value + ': ' + doc['destination_geo.as_org.keyword'].value }","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"destination_geo.asnstr.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.number","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"destination_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_mac","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_mac.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_mask","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dhcp_hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_hwaddr","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dhcp_hwaddr.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_messagetype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dhcp_messagetype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dns_query","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dns_query.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dns_rectype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dns_rectype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"engine_id","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"engine_type","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"eth_type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"eth_type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_category","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_category.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_criticality","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_id","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_logsource","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_logsource.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_logtype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_logtype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_sidtype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_sidtype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_source","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_source.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"exporter","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"facility","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"fields","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"first_switched","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"flow_records","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"flow_records_vis","type":"number","count":0,"scripted":true,"script":"return doc['flow_records'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"host","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"host.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"host.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"host.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"http_tags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"http_tags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"httpversion","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ident","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"in_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"in_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['in_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"in_packets","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"in_packets_vis","type":"number","count":0,"scripted":true,"script":"return doc['in_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"info_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"info_phrase","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"info_phrase.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"input.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"input.type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"input_interface","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"input_interface.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"input_snmp","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ips","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"key_id","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"label","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"label.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"last_switched","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"login_method","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"login_method.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"login_result","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"login_result.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"logsource","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"logsource.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"message","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"message.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"missed_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"missed_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['missed_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"next_hop_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"offset","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"original_message","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"out_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"out_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"out_packets","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"out_packets_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"output_interface","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"output_interface.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"output_snmp","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_destusername","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_destusername.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_event","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_event.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_module","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_module.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_service","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_service.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_sessiontype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_sessiontype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_sourceuid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_sourceuid.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"password","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"path","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ports","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"prospector.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"protocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"protocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"protocol.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"proxied","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"proxied.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"proxy_cachestatus","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"proxy_hierarchystatus","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"query","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"query.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"query_string","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"query_string.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"querytype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"querytype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"rawrequest","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"rawrequest.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"received_at","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"referrer","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"referrer.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"relay_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"relay_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"relay_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"request","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"request.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"request_method","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"request_method.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"request_url","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"request_url.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"response_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"response_filename","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"response_filename.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_fuid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_mimetype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"response_mimetype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_phrase","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"response_phrase.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_sub","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"response_time","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"rrclass","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"rrclass.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"severity","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"snare_counter","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_as","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_filename","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_filename.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_fuid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asnstr","type":"string","count":0,"scripted":true,"script":"if ( !doc.containsKey('source_geo.asn') || !doc.containsKey('source_geo.as_org.keyword') ) { return 'ASN: Not Available' } else { return 'ASN' + doc['source_geo.asn'].value + ': ' + doc['source_geo.as_org.keyword'].value }","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_geo.asnstr.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_kex_methods","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_kex_methods.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_mac","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_mac.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_mask","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_mimetype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_mimetype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_tos","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssh_disconnect_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssh_disconnect_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssh_disconnect_statement","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssh_disconnect_statement.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssh_protocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssh_protocol.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssl_cipher","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssl_cipher.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"syslog_hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_pid","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_program","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"syslog_program.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_timestamp","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"tags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"tags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"tcp_aflags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"tcp_aflags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"total_bytes","type":"number","count":0,"scripted":true,"script":"return doc['out_bytes'].value + doc['in_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"total_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_bytes'].value + doc['in_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"total_packets","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value + doc['in_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"total_packets_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value + doc['in_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"trans_depth","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ttl","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"uid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"uptime","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"uptime.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"user","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"user.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"user_validity","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"user_validity.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"username","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"username.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"version","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
diff --git a/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352.json b/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352.json
new file mode 100644
index 0000000..3a4f0c0
--- /dev/null
+++ b/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352.json
@@ -0,0 +1,236 @@
+{
+  "version": "6.5.3",
+  "objects": [
+    {
+      "id": "ce5fcc50-72b2-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Bytes by Protocol",
+        "visState": "{\"title\":\"NetFlow Bytes by Protocol\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Bytes\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Bytes\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"aprotocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "2b79dfc0-72b3-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Flows by Protocol",
+        "visState": "{\"title\":\"NetFlow Flows by Protocol\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Flows\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Flows\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records_vis\",\"customLabel\":\"Flows\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"aprotocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "652b9e70-72b3-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Packets by Protocol",
+        "visState": "{\"title\":\"NetFlow Packets by Protocol\",\"type\":\"area\",\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Packets\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Packets\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets_vis\",\"customLabel\":\"Packets\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"aprotocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "e94c3c00-72b3-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Statistics Summary",
+        "visState": "{\"title\":\"NetFlow Statistics Summary\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records_vis\",\"customLabel\":\"Flows\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets_vis\",\"customLabel\":\"Packets\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "9fda3e40-72b4-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Traffic Source",
+        "visState": "{\"title\":\"NetFlow Traffic Source\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Heatmap\",\"isDesaturated\":true,\"addTooltip\":true,\"heatClusterSize\":1.3,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.3.0&license=6447d0c7-8b7a-4cf7-ad0a-b56fd9164ba2\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.3.0&license=6447d0c7-8b7a-4cf7-ad0a-b56fd9164ba2\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"subdomains\":[]}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"precision\":2}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "e6d33040-72b4-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Volume by Source Port",
+        "visState": "{\"title\":\"NetFlow Volume by Source Port\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source Port\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "5a51a520-72b4-11e8-9159-894bd7d62352",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Statistics by Destination IP",
+        "visState": "{\"title\":\"NetFlow Statistics by Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Volume\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets\",\"customLabel\":\"Packets\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records\",\"customLabel\":\"Flows\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "40667a60-7317-11e8-9f32-cf7527ac183d",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Traffic Destination",
+        "visState": "{\"title\":\"NetFlow Traffic Destination\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Heatmap\",\"isDesaturated\":true,\"addTooltip\":true,\"heatClusterSize\":1.3,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"baseLayersAreLoaded\":{},\"tmsLayers\":[{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.3.0&license=6447d0c7-8b7a-4cf7-ad0a-b56fd9164ba2\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"subdomains\":[]}],\"selectedTmsLayer\":{\"id\":\"road_map\",\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.3.0&license=6447d0c7-8b7a-4cf7-ad0a-b56fd9164ba2\",\"minZoom\":0,\"maxZoom\":18,\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"subdomains\":[]}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"precision\":2}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "524b2aa0-7317-11e8-9f32-cf7527ac183d",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Volume by Destination Port",
+        "visState": "{\"title\":\"NetFlow Volume by Destination Port\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "2f25d250-7317-11e8-9f32-cf7527ac183d",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Statistics by Source IP",
+        "visState": "{\"title\":\"NetFlow Statistics by Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Volume\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets\",\"customLabel\":\"Packets\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records\",\"customLabel\":\"Flows\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "1a339e80-7318-11e8-9f32-cf7527ac183d",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Statistics by Exporter",
+        "visState": "{\"title\":\"NetFlow Statistics by Exporter\",\"type\":\"table\",\"params\":{\"perPage\":7,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Volume\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets\",\"customLabel\":\"Packets\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records\",\"customLabel\":\"Flows\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"exporter\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":7,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Exporter\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "57a87fb0-7318-11e8-9f32-cf7527ac183d",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Statistics by Source AS",
+        "visState": "{\"title\":\"NetFlow Statistics by Source AS\",\"type\":\"table\",\"params\":{\"perPage\":7,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Volume\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets\",\"customLabel\":\"Packets\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records\",\"customLabel\":\"Flows\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.asnstr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":7,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source AS\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "689e8a30-7318-11e8-9f32-cf7527ac183d",
+      "type": "visualization",
+      "attributes": {
+        "title": "NetFlow Statistics by Destination AS",
+        "visState": "{\"title\":\"NetFlow Statistics by Destination AS\",\"type\":\"table\",\"params\":{\"perPage\":7,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes_vis\",\"customLabel\":\"Volume\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_packets\",\"customLabel\":\"Packets\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow_records\",\"customLabel\":\"Flows\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.asnstr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":7,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination AS\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "savedSearchId": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "fa3332b0-72b0-11e8-9159-894bd7d62352",
+      "type": "search",
+      "attributes": {
+        "title": "NetFlow Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "exporter",
+          "aprotocol",
+          "source_ip",
+          "source_port",
+          "destination_ip",
+          "destination_port",
+          "total_bytes",
+          "total_packets"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"netflow\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
+        }
+      }
+    },
+    {
+      "id": "netflow",
+      "type": "index-pattern",
+      "attributes": {
+        "timeFieldName": "@timestamp",
+        "title": "netflow-*"
+      }
+    },
+    {
+      "id": "99d1b510-72b3-11e8-9159-894bd7d62352",
+      "type": "dashboard",
+      "attributes": {
+        "title": "NetFlow Dashboard",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":14,\"i\":\"1\"},\"embeddableConfig\":{},\"id\":\"ce5fcc50-72b2-11e8-9159-894bd7d62352\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":14,\"y\":0,\"w\":17,\"h\":14,\"i\":\"2\"},\"embeddableConfig\":{},\"id\":\"2b79dfc0-72b3-11e8-9159-894bd7d62352\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":14,\"i\":\"3\"},\"embeddableConfig\":{},\"id\":\"652b9e70-72b3-11e8-9159-894bd7d62352\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":7,\"i\":\"5\"},\"embeddableConfig\":{},\"id\":\"e94c3c00-72b3-11e8-9159-894bd7d62352\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":14,\"y\":21,\"w\":19,\"h\":18,\"i\":\"7\"},\"embeddableConfig\":{\"mapCenter\":[41.50857729743935,66.09375000000001],\"mapZoom\":1},\"id\":\"9fda3e40-72b4-11e8-9159-894bd7d62352\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":33,\"y\":21,\"w\":15,\"h\":18,\"i\":\"8\"},\"embeddableConfig\":{},\"id\":\"e6d33040-72b4-11e8-9159-894bd7d62352\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":39,\"w\":14,\"h\":18,\"i\":\"9\"},\"embeddableConfig\":{},\"id\":\"5a51a520-72b4-11e8-9159-894bd7d62352\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":14,\"y\":39,\"w\":19,\"h\":18,\"i\":\"10\"},\"embeddableConfig\":{\"mapCenter\":[14.944784875088372,-42.5390625],\"mapZoom\":2},\"id\":\"40667a60-7317-11e8-9f32-cf7527ac183d\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":33,\"y\":39,\"w\":15,\"h\":18,\"i\":\"11\"},\"embeddableConfig\":{},\"id\":\"524b2aa0-7317-11e8-9f32-cf7527ac183d\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":0,\"y\":21,\"w\":14,\"h\":18,\"i\":\"12\"},\"embeddableConfig\":{},\"id\":\"2f25d250-7317-11e8-9f32-cf7527ac183d\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"panelIndex\":\"13\",\"gridData\":{\"x\":0,\"y\":57,\"w\":10,\"h\":15,\"i\":\"13\"},\"version\":\"6.3.0\",\"type\":\"visualization\",\"id\":\"1a339e80-7318-11e8-9f32-cf7527ac183d\",\"embeddableConfig\":{}},{\"panelIndex\":\"14\",\"gridData\":{\"x\":10,\"y\":57,\"w\":19,\"h\":15,\"i\":\"14\"},\"version\":\"6.3.0\",\"type\":\"visualization\",\"id\":\"57a87fb0-7318-11e8-9f32-cf7527ac183d\",\"embeddableConfig\":{}},{\"panelIndex\":\"15\",\"gridData\":{\"x\":29,\"y\":57,\"w\":19,\"h\":15,\"i\":\"15\"},\"version\":\"6.3.0\",\"type\":\"visualization\",\"id\":\"689e8a30-7318-11e8-9f32-cf7527ac183d\",\"embeddableConfig\":{}},{\"panelIndex\":\"16\",\"gridData\":{\"x\":0,\"y\":72,\"w\":48,\"h\":53,\"i\":\"16\"},\"version\":\"6.3.0\",\"type\":\"search\",\"id\":\"fa3332b0-72b0-11e8-9159-894bd7d62352\",\"embeddableConfig\":{}}]",
+        "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+        }
+      }
+    }
+  ]
+}
diff --git a/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fieldFormatMap.txt b/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fieldFormatMap.txt
new file mode 100644
index 0000000..a148edf
--- /dev/null
+++ b/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fieldFormatMap.txt
@@ -0,0 +1,104 @@
+{
+  "in_bytes_vis": {
+    "id": "bytes",
+    "params": {
+      "pattern": "0,0.[0]b"
+    }
+  },
+  "flow_records_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "in_packets_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "@timestamp": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "source_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "destination_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "out_bytes_vis": {
+    "id": "bytes",
+    "params": {
+      "pattern": "0,0.[0]b"
+    }
+  },
+  "out_packets_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "missed_bytes_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "total_packets_vis": {
+    "id": "number",
+    "params": {
+      "pattern": "0,0.[0]a"
+    }
+  },
+  "total_bytes_vis": {
+    "id": "bytes",
+    "params": {
+      "pattern": "0,0.[0]b"
+    }
+  },
+  "total_bytes": {
+    "id": "number"
+  },
+  "total_packets": {
+    "id": "number"
+  },
+  "first_switched": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "last_switched": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "ports": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "destination_geo.asnstr": {
+    "id": "string",
+    "params": {
+      "transform": "false"
+    }
+  },
+  "source_geo.asnstr": {
+    "id": "string",
+    "params": {
+      "transform": "false"
+    }
+  }
+}
diff --git a/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fields.txt b/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fields.txt
new file mode 100644
index 0000000..864f1a3
--- /dev/null
+++ b/sof-elk/dashboards/99d1b510-72b3-11e8-9159-894bd7d62352_fields.txt
@@ -0,0 +1,121 @@
+{"name":"@timestamp","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"@version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"_id","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_index","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_score","type":"number","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_source","type":"_source","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"aprotocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"aprotocol.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.version.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_as","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asnstr","type":"string","count":0,"scripted":true,"script":"if ( !doc.containsKey('destination_geo.asn') || !doc.containsKey('destination_geo.as_org.keyword') ) { return 'ASN: Not Available' } else { return 'ASN' + doc['destination_geo.asn'].value + ': ' + doc['destination_geo.as_org.keyword'].value }","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"destination_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_mask","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"engine_id","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"engine_type","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"exporter","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"first_switched","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"flow_records","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"flow_records_vis","type":"number","count":0,"scripted":true,"script":"return doc['flow_records'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"host.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"host.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"in_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"in_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['in_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"in_packets","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"in_packets_vis","type":"number","count":0,"scripted":true,"script":"return doc['in_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"input.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"input.type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"input_snmp","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ips","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"last_switched","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"missed_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"missed_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['missed_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"next_hop_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"offset","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"original_message","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"out_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"out_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"out_packets","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"out_packets_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"output_snmp","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"path","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ports","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"prospector.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"protocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"protocol.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_as","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asnstr","type":"string","count":0,"scripted":true,"script":"if ( !doc.containsKey('source_geo.asn') || !doc.containsKey('source_geo.as_org.keyword') ) { return 'ASN: Not Available' } else { return 'ASN' + doc['source_geo.asn'].value + ': ' + doc['source_geo.as_org.keyword'].value }","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_mask","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_tos","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"tags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"tags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"tcp_aflags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"tcp_aflags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"total_bytes","type":"number","count":0,"scripted":true,"script":"return doc['out_bytes'].value + doc['in_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"total_bytes_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_bytes'].value + doc['in_bytes'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"total_packets","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value + doc['in_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"total_packets_vis","type":"number","count":0,"scripted":true,"script":"return doc['out_packets'].value + doc['in_packets'].value","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"version","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
diff --git a/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d.json b/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d.json
new file mode 100644
index 0000000..9f44588
--- /dev/null
+++ b/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d.json
@@ -0,0 +1,105 @@
+{
+  "version": "6.5.3",
+  "objects": [
+    {
+      "id": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+      "type": "search",
+      "attributes": {
+        "title": "Syslog Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "syslog_hostname",
+          "syslog_program",
+          "message"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\n  \"index\": \"logstash\",\n  \"highlightAll\": true,\n  \"version\": true,\n  \"query\": {\n    \"query\": \"\",\n    \"language\": \"lucene\"\n  },\n  \"filter\": []\n}"
+        }
+      }
+    },
+    {
+      "id": "a7b68c60-3022-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "Event Timeline by Severity",
+        "visState": "{\"title\":\"Event Timeline by Severity\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":\"severity:[0 TO 2]\"},\"label\":\"Emerg/Alert/Crit\"},{\"input\":{\"query\":\"severity:[3 TO 4]\"},\"label\":\"Error/Warning\"},{\"input\":{\"query\":\"severity:[5 TO 6]\"},\"label\":\"Notice/Info\"},{\"input\":{\"query\":\"severity:7\"},\"label\":\"Debug\"},{\"input\":{\"query\":\"NOT(severity:[0 TO 7])\"},\"label\":\"Unknown\"}]}}]}",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "33820360-3022-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "Syslog Source Host",
+        "visState": "{\"title\":\"Syslog Source Host\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog_hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "20daa9f0-3023-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "Syslog Program",
+        "visState": "{\"title\":\"Syslog Program\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog_program.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Program\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "f8529370-3023-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "Syslog Count",
+        "visState": "{\"title\":\"Syslog Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Syslog Records\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "e45686d0-3021-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+        }
+      }
+    },
+    {
+      "id": "logstash",
+      "type": "index-pattern",
+      "attributes": {
+        "timeFieldName": "@timestamp",
+        "title": "logstash-*"
+      }
+    },
+    {
+      "id": "ac6e6490-3021-11e8-9faf-f77fbc81a50d",
+      "type": "dashboard",
+      "attributes": {
+        "title": "Syslog Dashboard",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"gridData\":{\"h\":35,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":40},\"id\":\"e45686d0-3021-11e8-9faf-f77fbc81a50d\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.3.0\"},{\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":0},\"id\":\"a7b68c60-3022-11e8-9faf-f77fbc81a50d\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":25},\"id\":\"33820360-3022-11e8-9faf-f77fbc81a50d\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":25},\"id\":\"20daa9f0-3023-11e8-9faf-f77fbc81a50d\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.3.0\"},{\"gridData\":{\"h\":6,\"i\":\"6\",\"w\":16,\"x\":32,\"y\":25},\"id\":\"f8529370-3023-11e8-9faf-f77fbc81a50d\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.3.0\"}]",
+        "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+        }
+      }
+    }
+  ]
+}
diff --git a/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt b/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt
new file mode 100644
index 0000000..8941775
--- /dev/null
+++ b/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt
@@ -0,0 +1,32 @@
+{
+  "destination_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "source_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "ports": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "@timestamp": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "source_geo.asnstr": {
+    "id": "string",
+    "params": {
+      "transform": "false"
+    }
+  }
+}
diff --git a/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fields.txt b/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fields.txt
new file mode 100644
index 0000000..8322148
--- /dev/null
+++ b/sof-elk/dashboards/ac6e6490-3021-11e8-9faf-f77fbc81a50d_fields.txt
@@ -0,0 +1,223 @@
+{"name":"@timestamp","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"@version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"_id","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_index","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_score","type":"number","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_source","type":"_source","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"answer","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"answer_ip_v6","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"answer_ip_v6.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"auth_reason","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"auth_reason.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.version.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"cachehits","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"cachehits.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"cookie","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"cookie.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.area_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asnstr","type":"string","count":0,"scripted":true,"script":"if ( !doc.containsKey('destination_geo.asn') || !doc.containsKey('destination_geo.as_org.keyword') ) { return 'ASN: Not Available' } else { return 'ASN' + doc['destination_geo.asn'].value + ': ' + doc['destination_geo.as_org.keyword'].value }","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"destination_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.number","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"destination_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_mac","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_mac.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dhcp_hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_hwaddr","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dhcp_hwaddr.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dhcp_messagetype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dhcp_messagetype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dns_query","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dns_query.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"dns_rectype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"dns_rectype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"eth_type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"eth_type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_category","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_category.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_criticality","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_id","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_logsource","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_logsource.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_logtype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_logtype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_sidtype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_sidtype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"event_source","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"event_source.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"facility","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"host.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"host.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"input.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"input.type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"input_interface","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"input_interface.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ips","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"key_id","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"label","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"label.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"login_method","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"login_method.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"login_result","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"login_result.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"logsource","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"logsource.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"message","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"message.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"offset","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"original_message","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"output_interface","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"output_interface.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_destusername","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_destusername.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_event","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_event.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_module","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_module.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_service","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_service.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_sessiontype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_sessiontype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"pam_sourceuid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"pam_sourceuid.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"path","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ports","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"prospector.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"prospector.type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"protocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"protocol.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"query","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"query.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"querytype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"querytype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"received_at","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"relay_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"relay_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"relay_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"request_method","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"request_method.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"rrclass","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"rrclass.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"severity","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"snare_counter","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asnstr","type":"string","count":0,"scripted":true,"script":"if ( !doc.containsKey('source_geo.asn') || !doc.containsKey('source_geo.as_org.keyword') ) { return 'ASN: Not Available' } else { return 'ASN' + doc['source_geo.asn'].value + ': ' + doc['source_geo.as_org.keyword'].value }","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_kex_methods","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_kex_methods.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_mac","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_mac.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssh_disconnect_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssh_disconnect_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssh_disconnect_statement","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssh_disconnect_statement.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssh_protocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssh_protocol.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"syslog_hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_pid","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_program","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"syslog_program.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_timestamp","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"syslog_timestamp.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"tags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"tags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ttl","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"uptime","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"uptime.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"user","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"user.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"user_validity","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"user_validity.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"username","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"username.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
diff --git a/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d.json b/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d.json
new file mode 100644
index 0000000..e0a11b7
--- /dev/null
+++ b/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d.json
@@ -0,0 +1,149 @@
+{
+  "version": "6.5.3",
+  "objects": [
+    {
+      "id": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+      "type": "search",
+      "attributes": {
+        "title": "HTTPD Discovery",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "source_ip",
+          "request_method",
+          "hostname",
+          "request",
+          "response_code"
+        ],
+        "sort": [
+          "@timestamp",
+          "desc"
+        ],
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"index\":\"httpdlog\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
+        }
+      }
+    },
+    {
+      "id": "27462ba0-2f1c-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Timeline",
+        "visState": "{\n  \"aggs\": [\n    {\n      \"enabled\": true,\n      \"id\": \"1\",\n      \"params\": {\n        \"customLabel\": \"Records\"\n      },\n      \"schema\": \"metric\",\n      \"type\": \"count\"\n    },\n    {\n      \"enabled\": true,\n      \"id\": \"2\",\n      \"params\": {\n        \"customInterval\": \"2h\",\n        \"extended_bounds\": {},\n        \"field\": \"@timestamp\",\n        \"interval\": \"auto\",\n        \"min_doc_count\": 1\n      },\n      \"schema\": \"segment\",\n      \"type\": \"date_histogram\"\n    },\n    {\n      \"enabled\": true,\n      \"id\": \"3\",\n      \"params\": {\n        \"field\": \"request_method\",\n        \"missingBucket\": false,\n        \"missingBucketLabel\": \"Missing\",\n        \"order\": \"desc\",\n        \"orderBy\": \"1\",\n        \"otherBucket\": false,\n        \"otherBucketLabel\": \"Other\",\n        \"size\": 5\n      },\n      \"schema\": \"group\",\n      \"type\": \"terms\"\n    }\n  ],\n  \"params\": {\n    \"addLegend\": true,\n    \"addTimeMarker\": false,\n    \"addTooltip\": true,\n    \"categoryAxes\": [\n      {\n        \"id\": \"CategoryAxis-1\",\n        \"labels\": {\n          \"filter\": false,\n          \"rotate\": 0,\n          \"show\": true,\n          \"truncate\": 100\n        },\n        \"position\": \"bottom\",\n        \"scale\": {\n          \"type\": \"linear\"\n        },\n        \"show\": true,\n        \"style\": {},\n        \"title\": {},\n        \"type\": \"category\"\n      }\n    ],\n    \"grid\": {\n      \"categoryLines\": false,\n      \"style\": {\n        \"color\": \"#eee\"\n      }\n    },\n    \"legendPosition\": \"right\",\n    \"seriesParams\": [\n      {\n        \"data\": {\n          \"id\": \"1\",\n          \"label\": \"Records\"\n        },\n        \"drawLinesBetweenPoints\": true,\n        \"interpolate\": \"linear\",\n        \"mode\": \"normal\",\n        \"show\": \"true\",\n        \"showCircles\": true,\n        \"type\": \"line\",\n        \"valueAxis\": \"ValueAxis-1\"\n      }\n    ],\n    \"times\": [],\n    \"type\": \"line\",\n    \"valueAxes\": [\n      {\n        \"id\": \"ValueAxis-1\",\n        \"labels\": {\n          \"filter\": false,\n          \"rotate\": 0,\n          \"show\": true,\n          \"truncate\": 100\n        },\n        \"name\": \"LeftAxis-1\",\n        \"position\": \"left\",\n        \"scale\": {\n          \"mode\": \"normal\",\n          \"type\": \"log\"\n        },\n        \"show\": true,\n        \"style\": {},\n        \"title\": {\n          \"text\": \"Records\"\n        },\n        \"type\": \"value\"\n      }\n    ]\n  },\n  \"title\": \"HTTPD Timeline\",\n  \"type\": \"line\"\n}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\n  \"filter\": [],\n  \"query\": {\n    \"language\": \"lucene\",\n    \"query\": \"\"\n  }\n}"
+        }
+      }
+    },
+    {
+      "id": "fc97bf70-2f2c-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Log Count",
+        "visState": "{\"title\":\"HTTPD Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"HTTPD Records\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "617743c0-2f2d-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Response Code Timeline",
+        "visState": "{\n  \"title\": \"HTTPD Response Code Timeline\",\n  \"type\": \"line\",\n  \"params\": {\n    \"type\": \"line\",\n    \"grid\": {\n      \"categoryLines\": false,\n      \"style\": {\n        \"color\": \"#eee\"\n      }\n    },\n    \"categoryAxes\": [\n      {\n        \"id\": \"CategoryAxis-1\",\n        \"type\": \"category\",\n        \"position\": \"bottom\",\n        \"show\": true,\n        \"style\": {},\n        \"scale\": {\n          \"type\": \"linear\"\n        },\n        \"labels\": {\n          \"show\": true,\n          \"truncate\": 100\n        },\n        \"title\": {}\n      }\n    ],\n    \"valueAxes\": [\n      {\n        \"id\": \"ValueAxis-1\",\n        \"name\": \"LeftAxis-1\",\n        \"type\": \"value\",\n        \"position\": \"left\",\n        \"show\": true,\n        \"style\": {},\n        \"scale\": {\n          \"type\": \"log\",\n          \"mode\": \"normal\"\n        },\n        \"labels\": {\n          \"show\": true,\n          \"rotate\": 0,\n          \"filter\": false,\n          \"truncate\": 100\n        },\n        \"title\": {\n          \"text\": \"Records\"\n        }\n      }\n    ],\n    \"seriesParams\": [\n      {\n        \"show\": \"true\",\n        \"type\": \"line\",\n        \"mode\": \"normal\",\n        \"data\": {\n          \"label\": \"Records\",\n          \"id\": \"1\"\n        },\n        \"valueAxis\": \"ValueAxis-1\",\n        \"drawLinesBetweenPoints\": true,\n        \"showCircles\": true\n      }\n    ],\n    \"addTooltip\": true,\n    \"addLegend\": true,\n    \"legendPosition\": \"right\",\n    \"times\": [],\n    \"addTimeMarker\": false\n  },\n  \"aggs\": [\n    {\n      \"id\": \"1\",\n      \"enabled\": true,\n      \"type\": \"count\",\n      \"schema\": \"metric\",\n      \"params\": {\n        \"customLabel\": \"Records\"\n      }\n    },\n    {\n      \"id\": \"2\",\n      \"enabled\": true,\n      \"type\": \"date_histogram\",\n      \"schema\": \"segment\",\n      \"params\": {\n        \"field\": \"@timestamp\",\n        \"interval\": \"auto\",\n        \"customInterval\": \"2h\",\n        \"min_doc_count\": 1,\n        \"extended_bounds\": {}\n      }\n    },\n    {\n      \"id\": \"3\",\n      \"enabled\": true,\n      \"type\": \"terms\",\n      \"schema\": \"group\",\n      \"params\": {\n        \"field\": \"response_code\",\n        \"otherBucket\": false,\n        \"otherBucketLabel\": \"Other\",\n        \"missingBucket\": false,\n        \"missingBucketLabel\": \"Missing\",\n        \"size\": 5,\n        \"order\": \"desc\",\n        \"orderBy\": \"1\"\n      }\n    }\n  ]\n}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\n  \"filter\": [],\n  \"query\": {\n    \"query\": \"\",\n    \"language\": \"lucene\"\n  }\n}"
+        }
+      }
+    },
+    {
+      "id": "ab7426f0-2f2d-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Source ASNs",
+        "visState": "{\"title\":\"HTTPD Source ASNs\",\"type\":\"table\",\"params\":{\"perPage\":12,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Records\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.asnstr\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":12,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source ASN\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+        }
+      }
+    },
+    {
+      "id": "970ab5b0-2f2f-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "Vhost Pie Graph",
+        "visState": "{\"title\":\"Vhost Pie Graph\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Records\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"hostname.keyword\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"VirtualHost Name\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+        }
+      }
+    },
+    {
+      "id": "1554e120-2f30-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTP User Agents",
+        "visState": "{\"title\":\"HTTP User Agents\",\"type\":\"table\",\"params\":{\"perPage\":7,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Records\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.keyword\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"HTTP User Agent\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+        }
+      }
+    },
+    {
+      "id": "fcc684b0-2f39-11e8-9faf-f77fbc81a50d",
+      "type": "visualization",
+      "attributes": {
+        "title": "HTTPD Access Source",
+        "visState": "{\"title\":\"HTTPD Access Source\",\"type\":\"tile_map\",\"params\":{\"addTooltip\":true,\"heatClusterSize\":1.3,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"},\"tmsLayers\":[{\"attribution\":\"<p>&#169; <a href=\\\"http://www.openstreetmap.org/copyright\\\">OpenStreetMap</a> contributors | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>&#10;\",\"id\":\"road_map\",\"maxZoom\":10,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.2.3\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"isFilteredByCollar\":true,\"useGeocentroid\":true,\"precision\":2}}]}",
+        "uiStateJSON": "{\"mapCenter\":[16.947354170252698,-6.432500062510371],\"mapZoom\":2}",
+        "description": "",
+        "savedSearchId": "9744c560-2f17-11e8-9faf-f77fbc81a50d",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+        }
+      }
+    },
+    {
+      "id": "httpdlog",
+      "type": "index-pattern",
+      "attributes": {
+        "timeFieldName": "@timestamp",
+        "title": "httpdlog-*"
+      }
+    },
+    {
+      "id": "ba531340-2f17-11e8-9faf-f77fbc81a50d",
+      "type": "dashboard",
+      "attributes": {
+        "title": "HTTPD Log Dashboard",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":12,\"w\":12,\"h\":5,\"i\":\"1\"},\"id\":\"9744c560-2f17-11e8-9faf-f77fbc81a50d\",\"type\":\"search\",\"version\":\"6.2.3\"},{\"panelIndex\":\"2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":4,\"i\":\"2\"},\"id\":\"27462ba0-2f1c-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":9,\"y\":0,\"w\":3,\"h\":2,\"i\":\"3\"},\"id\":\"fc97bf70-2f2c-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":0,\"y\":4,\"w\":9,\"h\":4,\"i\":\"4\"},\"id\":\"617743c0-2f2d-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"5\",\"gridData\":{\"x\":9,\"y\":2,\"w\":3,\"h\":6,\"i\":\"5\"},\"id\":\"ab7426f0-2f2d-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":8,\"w\":4,\"h\":4,\"i\":\"6\"},\"id\":\"970ab5b0-2f2f-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":9,\"y\":8,\"w\":3,\"h\":4,\"i\":\"7\"},\"id\":\"1554e120-2f30-11e8-9faf-f77fbc81a50d\",\"type\":\"visualization\",\"version\":\"6.2.3\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":4,\"y\":8,\"w\":5,\"h\":4,\"i\":\"8\"},\"version\":\"6.2.3\",\"type\":\"visualization\",\"id\":\"fcc684b0-2f39-11e8-9faf-f77fbc81a50d\",\"embeddableConfig\":{\"mapCenter\":[16.947354170252698,-6.432500062510371],\"mapZoom\":1}}]",
+        "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+        }
+      }
+    }
+  ]
+}
diff --git a/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt b/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt
new file mode 100644
index 0000000..01271dd
--- /dev/null
+++ b/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fieldFormatMap.txt
@@ -0,0 +1,32 @@
+{
+  "source_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "destination_port": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "ports": {
+    "id": "number",
+    "params": {
+      "pattern": "00"
+    }
+  },
+  "@timestamp": {
+    "id": "date",
+    "params": {
+      "pattern": "YYYY-MM-DD HH:mm:ss.SSS\\Z"
+    }
+  },
+  "source_geo.asnstr": {
+    "id": "string",
+    "params": {
+      "transform": "false"
+    }
+  }
+}
diff --git a/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fields.txt b/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fields.txt
new file mode 100644
index 0000000..7548cea
--- /dev/null
+++ b/sof-elk/dashboards/ba531340-2f17-11e8-9faf-f77fbc81a50d_fields.txt
@@ -0,0 +1,176 @@
+{"name":"@timestamp","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"@version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"_id","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_index","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"_score","type":"number","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_source","type":"_source","count":0,"scripted":false,"searchable":false,"aggregatable":false,"readFromDocValues":false}
+{"name":"_type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"agent","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agent.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.build","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.build.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.device","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.device.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.major","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.major.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.minor","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.minor.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os_major","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os_major.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os_minor","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os_minor.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.os_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.os_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"agentinfo.patch","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"agentinfo.patch.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"beat.version","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"beat.version.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"cookie","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"cookie.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"count","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.area_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asn","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.asn.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.asnstr","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.asnstr.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.number","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.number.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"destination_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"destination_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"facility","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"fields","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"host","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"host.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"http_tags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"http_tags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"httpversion","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ident","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"info_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"info_phrase","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"info_phrase.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"input.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"input.type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ips","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"logsource","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"logsource.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"offset","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"original_message","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"password","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"path","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ports","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"prospector.type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"prospector.type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"protocol","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"proxied","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"proxied.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"proxy_cachestatus","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"proxy_hierarchystatus","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"query_string","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"query_string.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"rawrequest","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"rawrequest.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"received_at","type":"date","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"referrer","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"referrer.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"request","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"request.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"request_method","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"request_url","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"request_url.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"response_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"response_filename","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"response_filename.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_fuid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_mimetype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"response_mimetype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_phrase","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"response_phrase.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"response_sub","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"response_time","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"severity","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_bytes","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_filename","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_filename.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_fuid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_geo.as_org","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.as_org.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asn","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.asnstr","type":"string","count":0,"scripted":true,"script":"if ( !doc.containsKey('source_geo.asn') || !doc.containsKey('source_geo.as_org.keyword') ) { return 'ASN: Not Available' } else { return 'ASN' + doc['source_geo.asn'].value + ': ' + doc['source_geo.as_org.keyword'].value }","lang":"painless","searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_geo.asnstr.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.city_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.city_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.continent_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.continent_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code2","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code2.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_code3","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_code3.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.country_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.country_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.dma_code","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.latitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.location","type":"geo_point","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.longitude","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.postal_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.postal_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_code","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_code.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.region_name","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.region_name.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_geo.timezone","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_geo.timezone.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_ip","type":"ip","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"source_mimetype","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"source_mimetype.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"source_port","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"ssl_cipher","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"ssl_cipher.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_hostname","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"syslog_hostname.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_program","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"syslog_program.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"syslog_timestamp","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"tags","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"tags.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"trans_depth","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"type","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"type.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"uid","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":false}
+{"name":"username","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":false,"readFromDocValues":false}
+{"name":"username.keyword","type":"string","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
+{"name":"version","type":"number","count":0,"scripted":false,"searchable":true,"aggregatable":true,"readFromDocValues":true}
diff --git a/sof-elk/dashboards/timelineplaso/dashboard/Plaso-Timeline b/sof-elk/dashboards/timelineplaso/dashboard/Plaso-Timeline
new file mode 100644
index 0000000..ab79d4b
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/dashboard/Plaso-Timeline
@@ -0,0 +1,13 @@
+{
+  "title": "Plaso Timeline",
+  "hits": 0,
+  "description": "",
+  "panelsJSON": "[{\"col\":3,\"id\":\"TL-Users-over-time\",\"panelIndex\":1,\"row\":1,\"size_x\":5,\"size_y\":5,\"type\":\"visualization\"},{\"col\":8,\"id\":\"TL-Events-over-time\",\"panelIndex\":2,\"row\":1,\"size_x\":5,\"size_y\":5,\"type\":\"visualization\"},{\"col\":7,\"id\":\"TL-Member_Changes\",\"panelIndex\":3,\"row\":6,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":3,\"id\":\"TL-Group_Changes\",\"panelIndex\":4,\"row\":10,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":3,\"id\":\"TL-Domain_Ctrl_Auth\",\"panelIndex\":6,\"row\":14,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"TL-Logon_Session_Evts\",\"panelIndex\":7,\"row\":6,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":8,\"id\":\"TL-Markup-Powershell\",\"panelIndex\":11,\"row\":10,\"size_x\":5,\"size_y\":2,\"type\":\"visualization\"},{\"col\":8,\"id\":\"TL-Powershell_all\",\"panelIndex\":12,\"row\":12,\"size_x\":5,\"size_y\":6,\"type\":\"visualization\"},{\"col\":1,\"id\":\"TL-Mark-AllEventIDs\",\"panelIndex\":14,\"row\":1,\"size_x\":2,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"id\":\"TL-Mark-AllEventIDs\",\"panelIndex\":15,\"row\":10,\"size_x\":2,\"size_y\":8,\"type\":\"visualization\"}]",
+  "optionsJSON": "{\"darkTheme\":false}",
+  "uiStateJSON": "{\"P-1\":{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}}},\"P-2\":{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}}},\"P-7\":{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}}}}",
+  "version": 1,
+  "timeRestore": false,
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"
+  }
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-Domain_Ctrl_Auth b/sof-elk/dashboards/timelineplaso/search/TL-Domain_Ctrl_Auth
new file mode 100644
index 0000000..674e611
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-Domain_Ctrl_Auth
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"evt-eventid:4768 OR evt-eventid:4771 OR evt-eventid:4772\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-Domain_Ctrl_Auth"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-Group_Changes b/sof-elk/dashboards/timelineplaso/search/TL-Group_Changes
new file mode 100644
index 0000000..fc61d78
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-Group_Changes
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"evt-eventid:4727 OR evt-eventid:[4730 TO 4731] OR evt-eventid:[4734 TO 4735] OR evt-eventid:4737 OR evt-eventid:[4744 TO 4745] OR evt-eventid:[4748 TO 4750] OR evt-eventid:[4753 TO 4755] OR evt-eventid:[4758 TO 4760] OR evt-eventid:4763\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-Group_Changes"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-Logon_Session_Evts b/sof-elk/dashboards/timelineplaso/search/TL-Logon_Session_Evts
new file mode 100644
index 0000000..6a99faa
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-Logon_Session_Evts
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"evt-eventid:[4624 TO 4625] OR evt-eventid:4647 OR evt-eventid:[4778 TO 4779] OR evt-eventid:[4800 TO 4803]\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-Logon_Session_Evts"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-Member_Changes b/sof-elk/dashboards/timelineplaso/search/TL-Member_Changes
new file mode 100644
index 0000000..eb75fa1
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-Member_Changes
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"evt-eventid:[4728 TO 4729] OR evt-eventid:[4732 TO 4733] OR evt-eventid:[4746 TO 4747] OR evt-eventid:[4751 TO 4752] OR evt-eventid:[4756 TO 4757] OR evt-eventid:[4761 TO 4762]\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-Member_Changes"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-Powershell-All b/sof-elk/dashboards/timelineplaso/search/TL-Powershell-All
new file mode 100644
index 0000000..d064383
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-Powershell-All
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"evt-eventid:400 OR evt-eventid:403 OR evt-eventid:6 OR evt-eventid:40961 OR evt-eventid:4100 OR evt-eventid:169 OR evt-eventid:81 OR evt-eventid:134 OR evt-eventid:7937 OR evt-eventid:32850 OR evt-eventid:32867 OR evt-eventid:32868\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-Powershell-All"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-User_Acct_Changes b/sof-elk/dashboards/timelineplaso/search/TL-User_Acct_Changes
new file mode 100644
index 0000000..fa90203
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-User_Acct_Changes
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"evt-eventid:4720 OR evt-eventid:[4722 TO 4726] OR evt-eventid:[4738 TO 4740] OR evt-eventid:4767 OR evt-eventid:4781\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-User_Acct_Changes"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-atime b/sof-elk/dashboards/timelineplaso/search/TL-atime
new file mode 100644
index 0000000..0d3d808
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-atime
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"timestamp_desc:*atime*\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-atime"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-ctime b/sof-elk/dashboards/timelineplaso/search/TL-ctime
new file mode 100644
index 0000000..bd78569
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-ctime
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"timestamp_desc:*ctime*\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-ctime"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-has-path b/sof-elk/dashboards/timelineplaso/search/TL-has-path
new file mode 100644
index 0000000..35a2018
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-has-path
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"_exists_:evt-path\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-has-path"
+}
diff --git a/sof-elk/dashboards/timelineplaso/search/TL-mtime b/sof-elk/dashboards/timelineplaso/search/TL-mtime
new file mode 100644
index 0000000..4c3c330
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/search/TL-mtime
@@ -0,0 +1,16 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"timestamp_desc:*mtime*\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
+  },
+  "version": 1,
+  "sort": [
+    "@timestamp",
+    "desc"
+  ],
+  "columns": [
+    "_source"
+  ],
+  "hits": 0,
+  "description": "",
+  "title": "TL-mtime"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Domain_Ctrl_Auth b/sof-elk/dashboards/timelineplaso/visualization/TL-Domain_Ctrl_Auth
new file mode 100644
index 0000000..ce2dd9d
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Domain_Ctrl_Auth
@@ -0,0 +1,11 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"filter\":[]}"
+  },
+  "version": 1,
+  "savedSearchId": "TL-Domain_Ctrl_Auth",
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"evt-eventid\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
+  "title": "TL-Domain_Ctrl_Auth"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Event-Data b/sof-elk/dashboards/timelineplaso/visualization/TL-Event-Data
new file mode 100644
index 0000000..a0f1686
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Event-Data
@@ -0,0 +1,10 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
+  },
+  "version": 1,
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"evt-eventid\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event ID\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"evt-logon_type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Logon Type\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"evt-provider\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Provider\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parser\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Parser\"}}],\"listeners\":{}}",
+  "title": "TL-Event-Data"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Events-over-time b/sof-elk/dashboards/timelineplaso/visualization/TL-Events-over-time
new file mode 100644
index 0000000..cc3041b
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Events-over-time
@@ -0,0 +1,10 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
+  },
+  "version": 1,
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"TL-Events-by-user\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"evt-eventid\",\"size\":15,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Windows Event ID #\"}}],\"listeners\":{}}",
+  "title": "TL-Events-over-time"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-FN-and-EventID b/sof-elk/dashboards/timelineplaso/visualization/TL-FN-and-EventID
new file mode 100644
index 0000000..3ea4bfe
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-FN-and-EventID
@@ -0,0 +1,10 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\n  \"index\": \"timelineplaso-*\",\n  \"query\": {\n    \"query_string\": {\n      \"query\": \"*\",\n      \"analyze_wildcard\": true\n    }\n  },\n  \"filter\": []\n}"
+  },
+  "version": 1,
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\n  \"title\": \"New Visualization\",\n  \"type\": \"histogram\",\n  \"params\": {\n    \"shareYAxis\": true,\n    \"addTooltip\": true,\n    \"addLegend\": true,\n    \"scale\": \"linear\",\n    \"mode\": \"stacked\",\n    \"times\": [],\n    \"addTimeMarker\": false,\n    \"defaultYExtents\": false,\n    \"setYExtents\": false,\n    \"yAxis\": {}\n  },\n  \"aggs\": [\n    {\n      \"id\": \"1\",\n      \"type\": \"count\",\n      \"schema\": \"metric\",\n      \"params\": {}\n    },\n    {\n      \"id\": \"2\",\n      \"type\": \"date_histogram\",\n      \"schema\": \"segment\",\n      \"params\": {\n        \"field\": \"@timestamp\",\n        \"interval\": \"auto\",\n        \"customInterval\": \"2h\",\n        \"min_doc_count\": 1,\n        \"extended_bounds\": {}\n      }\n    },\n    {\n      \"id\": \"3\",\n      \"type\": \"terms\",\n      \"schema\": \"group\",\n      \"params\": {\n        \"field\": \"evt-eventid\",\n        \"size\": 20,\n        \"order\": \"desc\",\n        \"orderBy\": \"1\"\n      }\n    },\n    {\n      \"id\": \"4\",\n      \"type\": \"terms\",\n      \"schema\": \"split\",\n      \"params\": {\n        \"field\": \"filename.raw\",\n        \"size\": 13,\n        \"order\": \"desc\",\n        \"orderBy\": \"1\",\n        \"row\": true\n      }\n    }\n  ],\n  \"listeners\": {}\n}",
+  "title": "TL - FN and EventID"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Group_Changes b/sof-elk/dashboards/timelineplaso/visualization/TL-Group_Changes
new file mode 100644
index 0000000..1619275
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Group_Changes
@@ -0,0 +1,11 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"filter\":[]}"
+  },
+  "version": 1,
+  "savedSearchId": "TL-Group_Changes",
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"evt-eventid\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"evt-logon_type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}}],\"listeners\":{}}",
+  "title": "TL-Group_Changes"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Logon_Session_Evts b/sof-elk/dashboards/timelineplaso/visualization/TL-Logon_Session_Evts
new file mode 100644
index 0000000..a1e88b0
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Logon_Session_Evts
@@ -0,0 +1,11 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\n  \"filter\": []\n}"
+  },
+  "version": 1,
+  "savedSearchId": "TL-Logon_Session_Evts",
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\n  \"title\": \"New Visualization\",\n  \"type\": \"histogram\",\n  \"params\": {\n    \"shareYAxis\": true,\n    \"addTooltip\": true,\n    \"addLegend\": true,\n    \"scale\": \"linear\",\n    \"mode\": \"stacked\",\n    \"times\": [],\n    \"addTimeMarker\": false,\n    \"defaultYExtents\": false,\n    \"setYExtents\": false,\n    \"yAxis\": {}\n  },\n  \"aggs\": [\n    {\n      \"id\": \"1\",\n      \"type\": \"count\",\n      \"schema\": \"metric\",\n      \"params\": {}\n    },\n    {\n      \"id\": \"2\",\n      \"type\": \"date_histogram\",\n      \"schema\": \"segment\",\n      \"params\": {\n        \"field\": \"@timestamp\",\n        \"interval\": \"auto\",\n        \"customInterval\": \"2h\",\n        \"min_doc_count\": 1,\n        \"extended_bounds\": {}\n      }\n    },\n    {\n      \"id\": \"3\",\n      \"type\": \"terms\",\n      \"schema\": \"group\",\n      \"params\": {\n        \"field\": \"evt-eventid\",\n        \"size\": 10,\n        \"order\": \"desc\",\n        \"orderBy\": \"1\"\n      }\n    },\n    {\n      \"id\": \"4\",\n      \"type\": \"terms\",\n      \"schema\": \"split\",\n      \"params\": {\n        \"field\": \"evt-logon_type\",\n        \"size\": 5,\n        \"order\": \"desc\",\n        \"orderBy\": \"1\",\n        \"row\": true\n      }\n    }\n  ],\n  \"listeners\": {}\n}",
+  "title": "TL-Logon_Session_Evts"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Mark-AllEventIDs b/sof-elk/dashboards/timelineplaso/visualization/TL-Mark-AllEventIDs
new file mode 100644
index 0000000..9423be8
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Mark-AllEventIDs
@@ -0,0 +1,10 @@
+{
+  "title": "TL-HTML-AllEventIDs",
+  "visState": "{\n  \"title\": \"New Visualization\",\n  \"type\": \"html\",\n  \"params\": {\n    \"html\": \"<h4>All Event ID's</h4>\\n51 nt starting up<BR>\\n513 shutting down<BR>\\n514 auth pkg loaded by lsa<BR>\\n515 logon register with lsa<BR>\\n516 audit messages queue full<BR>\\n517 audit log cleared<BR>\\n518 notif pkg loaded by sam<BR>\\n519 invalid lpc port<BR>\\n520 sys time chg<BR>\\n521 unable to log to sec log<BR>\\n528 success logon<BR>\\n529 logonfail-unk user-bad pw<BR>\\n530 logonfail-acct logon time<BR>\\n531 logonfail-acct disabled<BR>\\n532 logonfail-acct expired<BR>\\n533 logonfail-not allowed to logon<BR>\\n534 logonfail-not granted logon type<BR>\\n535 logonfail-pw expired<BR>\\n536 logonfail-netlogon not active<BR>\\n537 logonfail-logon attempt fail<BR>\\n538 user logoff<BR>\\n539 logonfail- acct locked out<BR>\\n540 success network logon<BR>\\n551 user initiated logoff<BR>\\n552 logon attempt using explicit creds<BR>\\n560 obj open<BR>\\n561 handle allocated<BR>\\n562 handle closed<BR>\\n563 obj open for delete<BR>\\n564 obj deleted<BR>\\n565 obj open-ad<BR>\\n566 obj operation-w3 ad<BR>\\n567 obj access attempt<BR>\\n576 special privs for new logon<BR>\\n577 priv svc called<BR>\\n578 priv obj operation<BR>\\n592 new process been add<BR>\\n593 process exited<BR>\\n594 handle to obj been duplicated<BR>\\n595 indirect access to obj obtained<BR>\\n596 backup of data prot master key<BR>\\n600 process assigned primary token<BR>\\n601 attempt to install svc<BR>\\n602 scheduled task add<BR>\\n608 user right assigned<BR>\\n609 user right removed<BR>\\n610 new trusted domain<BR>\\n611 removing trusted domain<BR>\\n612 audit policy change<BR>\\n613 ipsec agent started<BR>\\n614 ipsec agent disabled<BR>\\n615 ipsec agent svc<BR>\\n616 ipsec agent failure<BR>\\n617 kerberos policy changed<BR>\\n618 encryp data recov policy chg<BR>\\n619 quality of svc policy changed<BR>\\n620 trusted domain info chg<BR>\\n621 sys sec access granted<BR>\\n622 sys sec access removed<BR>\\n623 per user audit policy refreshed<BR>\\n624 user acct created<BR>\\n625 user acct type changed<BR>\\n626 user acct enabl<BR>\\n627 change pw attempt<BR>\\n628 user acct pw set<BR>\\n629 user acct disab<BR>\\n630 user acct deleted<BR>\\n631 enabl global grp created<BR>\\n632 enabl global grp member added<BR>\\n633 enabl global grp member removed<BR>\\n634 enabl global grp deleted<BR>\\n635 enabl local grp created<BR>\\n636 enabl local grp member added<BR>\\n637 enabl local grp member removed<BR>\\n638 enabl local grp deleted<BR>\\n639 enabl local grp changed<BR>\\n640 general acct database change<BR>\\n641 sec enabl global grp changed<BR>\\n642 user acct changed<BR>\\n643 domain policy changed<BR>\\n644 user acct locked out<BR>\\n645 computer acct created<BR>\\n646 computer acct changed<BR>\\n647 computer acct deleted<BR>\\n648 disab local grp add<BR>\\n649 disab local grp chg<BR>\\n650 disab local grp member add<BR>\\n651 disab local grp member del<BR>\\n652 disab local grp del<BR>\\n653 disab glob grp add<BR>\\n654 disab glob grp chg<BR>\\n655 disab glob grp member add<BR>\\n656 disab glob grp member del<BR>\\n657 disab glob grp del<BR>\\n658 enabl univ grp add<BR>\\n659 enabl univ grp chg<BR>\\n660 enabl univ grp member add<BR>\\n661 enabl univ grp member del<BR>\\n662 enabl univ grp del<BR>\\n663 disab univ grp add<BR>\\n664 disab univ grp chg<BR>\\n665 disab univ grp member add<BR>\\n666 disab univ grp member del<BR>\\n667 disab univ grp del<BR>\\n668 grp type changed<BR>\\n669 add sid history<BR>\\n670 add sid history<BR>\\n671 user acct unlocked<BR>\\n672 auth ticket granted<BR>\\n673 svc ticket granted<BR>\\n674 ticket granted renewed<BR>\\n675 pre-auth fail<BR>\\n676 auth ticket request failed<BR>\\n677 svc ticket request failed<BR>\\n678 acct mapped for logon by<BR>\\n679 could not map user<BR>\\n680 acct used for logon by<BR>\\n681 logon to acct fail<BR>\\n682 sess reconn to winstation<BR>\\n683 sess disconn from winstation<BR>\\n684 set acls in admin grps<BR>\\n685 acct name changed<BR>\\n686 pw of user accessed<BR>\\n687 appl grp created<BR>\\n688 appl grp changed<BR>\\n689 appl grp member added<BR>\\n690 appl grp member removed<BR>\\n691 appl grp non-member added<BR>\\n692 appl grp non-member removed<BR>\\n693 appl grp deleted<BR>\\n694 ldap query grp created<BR>\\n695 ldap query grp changed<BR>\\n696 ldap query grp deleted<BR>\\n697 pw policy check api called<BR>\\n806 per user audit policy refreshed<BR>\\n807 per user auditing policy set<BR>\\n808 sec event attempt to register<BR>\\n809 sec event attempt to unregister<BR>\\n848 policy active when fw started<BR>\\n849 appl listed as except at start<BR>\\n850 port listed as except at start<BR>\\n851 chg made to fw appl except list<BR>\\n852 chg made to fw port except list<BR>\\n853 fw operational mode chg<BR>\\n854 fw logging settings have chg<BR>\\n855 fw icmp setting chg<BR>\\n856 fw setting chg<BR>\\n857 fw setting chg<BR>\\n858 fw grp policy settings add<BR>\\n859 fw grp policy settings del<BR>\\n860 fw switched active profile<BR>\\n861 fw detect appl listening for traffic<BR>\\n1100 event logging svc shut down<BR>\\n1101 audit events dropped<BR>\\n1102 audit log cleared<BR>\\n1104 sec log now full<BR>\\n1105 event log automatic backup<BR>\\n1108 event logging svc error<BR>\\n4608 starting up<BR>\\n4609 shutting down<BR>\\n4610 auth pkg loaded by lsa<BR>\\n4611 trusted logon regist with lsa<BR>\\n4612 queuing of audit msg exhausted<BR>\\n4614 notif package loaded by sam<BR>\\n4615 invalid use of lpc port<BR>\\n4616 sys time chg<BR>\\n4618 monitored sec event occurred<BR>\\n4621 crashonauditfail recovery<BR>\\n4622 sec package loaded by lsa<BR>\\n4624 acct success logged on<BR>\\n4625 acct fail to log on<BR>\\n4626 user/device claims information<BR>\\n4627 grp membership information<BR>\\n4634 acct logged off<BR>\\n4646 ike dos-prevention mode started<BR>\\n4647 user initiated logoff<BR>\\n4648 logon attempt using explicit creds<BR>\\n4649 replay attack detected<BR>\\n4650 ipsec main mode sec assoc establ<BR>\\n4651 ipsec main mode sec assoc establ<BR>\\n4652 ipsec main mode neg fail<BR>\\n4653 ipsec main mode neg fail<BR>\\n4654 ipsec quick mode neg fail<BR>\\n4655 ipsec main mode sec assoc ended<BR>\\n4656 handle to obj requested<BR>\\n4657 registry value chg<BR>\\n4658 handle to obj closed<BR>\\n4659 handle request w intent to del<BR>\\n4660 obj del<BR>\\n4661 handle to obj requested<BR>\\n4662 operation performed on obj<BR>\\n4663 attempt to access obj<BR>\\n4664 attempt to create hard link<BR>\\n4665 attempt to create appl client context<BR>\\n4666 appl attempt operation<BR>\\n4667 appl client context del<BR>\\n4668 appl initialized<BR>\\n4670 permissions on obj chg<BR>\\n4671 appl access blocked ordinal<BR>\\n4672 special privs assigned to new logon<BR>\\n4673 priv svc called<BR>\\n4674 operation attempt on priv obj<BR>\\n4675 sids filtered<BR>\\n4688 new process been add<BR>\\n4689 process exited<BR>\\n4690 attempt made to duplicate handle to obj<BR>\\n4691 indirect access to obj requested<BR>\\n4692 data protect master key attempt<BR>\\n4693 data protect master key attempt<BR>\\n4694 data protect attempt<BR>\\n4695 data protect unprotect<BR>\\n4696 token assigned to process<BR>\\n4697 svc installed in sys<BR>\\n4698 scheduled task add<BR>\\n4699 scheduled task del<BR>\\n4700 scheduled task enabled<BR>\\n4701 scheduled task disabled<BR>\\n4702 scheduled task updated<BR>\\n4704 user right assigned<BR>\\n4705 user right del<BR>\\n4706 new trust add to domain<BR>\\n4707 trust to domain del<BR>\\n4709 ipsec svcs started<BR>\\n4710 ipsec svcs disabled<BR>\\n4711 pastore engine<BR>\\n4712 ipsec serious failure<BR>\\n4713 kerberos policy chg<BR>\\n4714 encrypted data recovery policy chg<BR>\\n4715 audit policy on obj chg<BR>\\n4716 trusted domain information chg<BR>\\n4717 sys sec access granted to acct<BR>\\n4718 sys sec access del from acct<BR>\\n4719 sys audit policy chg<BR>\\n4720 user acct add<BR>\\n4722 user acct enabled<BR>\\n4723 attempt made to chg acct's pw<BR>\\n4724 attempt made to reset accts pw<BR>\\n4725 user acct disabled<BR>\\n4726 user acct del<BR>\\n4727 sec-enabled glob grp add<BR>\\n4728 member add to sec-enabled glob grp<BR>\\n4729 member del from sec-enabled glob grp<BR>\\n4730 sec-enabled glob grp del<BR>\\n4731 sec-enabled local grp add<BR>\\n4732 member add to sec-enabled local grp<BR>\\n4733 member del from sec-enabled local grp<BR>\\n4734 sec-enabled local grp del<BR>\\n4735 sec-enabled local grp chg<BR>\\n4737 sec-enabled glob grp chg<BR>\\n4738 user acct chg<BR>\\n4739 domain policy chg<BR>\\n4740 user acct locked out<BR>\\n4741 computer acct add<BR>\\n4742 computer acct chg<BR>\\n4743 computer acct del<BR>\\n4744 sec-disabled local grp add<BR>\\n4745 sec-disabled local grp chg<BR>\\n4746 member add to sec-disabled local grp<BR>\\n4747 member del from sec-disabled local grp<BR>\\n4748 sec-disabled local grp del<BR>\\n4749 sec-disabled glob grp add<BR>\\n4750 sec-disabled glob grp chg<BR>\\n4751 member add to sec-disabled glob grp<BR>\\n4752 member del from sec-disabled glob grp<BR>\\n4753 sec-disabled glob grp del<BR>\\n4754 sec-enabled univ grp add<BR>\\n4755 sec-enabled univ grp chg<BR>\\n4756 member add to sec-enabled univ grp<BR>\\n4757 member del from sec-enabled univ grp<BR>\\n4758 sec-enabled univ grp del<BR>\\n4759 sec-disabled univ grp add<BR>\\n4760 sec-disabled univ grp chg<BR>\\n4761 member add to sec-disabled univ grp<BR>\\n4762 member del from sec-disabled univ grp<BR>\\n4763 sec-disabled univ grp del<BR>\\n4764 grps type chg<BR>\\n4765 sid history add to acct<BR>\\n4766 add sid history to acct fail<BR>\\n4767 user acct unlocked<BR>\\n4768 kerberos tgt requested<BR>\\n4769 kerberos svc ticket requested<BR>\\n4770 kerberos svc ticket renewed<BR>\\n4771 kerberos pre-auth fail<BR>\\n4772 kerberos auth ticket request fail<BR>\\n4773 kerberos svc ticket request fail<BR>\\n4774 acct mapped for logon<BR>\\n4775 acct could not map for logon<BR>\\n4776 attempt to validate acct<BR>\\n4777 fail to validate creds<BR>\\n4778 sess reconn to window station<BR>\\n4779 sess discon from window station<BR>\\n4780 acl set on admin grp accts<BR>\\n4781 name of acct chg<BR>\\n4782 pw hash acct accessed<BR>\\n4783 app grp add<BR>\\n4784 app grp chg<BR>\\n4785 member add to appl grp<BR>\\n4786 member del from appl grp<BR>\\n4787 non-member add to appl grp<BR>\\n4788 non-member del from appl grp<BR>\\n4789 app grp del<BR>\\n4790 ldap query grp add<BR>\\n4791 app grp chg<BR>\\n4792 ldap query grp del<BR>\\n4793 pw policy check api called<BR>\\n4794 dirsvc restore mode admin pw set<BR>\\n4797 query if blank pw for acct<BR>\\n4798 local grp membership enum<BR>\\n4799 local grp membership enum<BR>\\n4800 workstation locked<BR>\\n4801 workstation unlocked<BR>\\n4802 screen saver invoked<BR>\\n4803 screen saver dismissed<BR>\\n4816 rpc integrity violation<BR>\\n4817 auditing settings on obj chg<BR>\\n4818 central access policy<BR>\\n4819 central access policy<BR>\\n4820 tgt denied<BR>\\n4821 kerberos ticket denied<BR>\\n4822 ntlm auth fail<BR>\\n4823 ntlm auth fail<BR>\\n4824 kerberos preauth fail<BR>\\n4864 namespace collision<BR>\\n4865 trusted forest entry add<BR>\\n4866 trusted forest entry del<BR>\\n4867 trusted forest entry chg<BR>\\n4868 cert mgr denied<BR>\\n4869 cert svcs received cert request<BR>\\n4870 cert svcs revoked cert<BR>\\n4871 cert svcs request to crl<BR>\\n4872 cert svcs published crl<BR>\\n4873 cert request extension chg<BR>\\n4874 cert request attrib chg<BR>\\n4875 cert svcs request to shut down<BR>\\n4876 cert svcs backup start<BR>\\n4877 cert svcs backup complete<BR>\\n4878 cert svcs restore start<BR>\\n4879 cert svcs restore complete<BR>\\n4880 cert svcs started<BR>\\n4881 cert svcs stopped<BR>\\n4882 sec perms for cert svcs chg<BR>\\n4883 cert svcs retrieved key<BR>\\n4884 cert svcs imported cert<BR>\\n4885 audit filter for cert svcs chg<BR>\\n4886 cert svcs received cert request<BR>\\n4887 cert svcs approved issued cert<BR>\\n4888 cert svcs denied cert request<BR>\\n4889 cert svcs cert request now pending<BR>\\n4890 cert mgr settings for cert svcs chg<BR>\\n4891 config entry chg in cert svcs<BR>\\n4892 property of cert svcs chg<BR>\\n4893 cert svcs archived key<BR>\\n4894 cert svcs imported key<BR>\\n4895 cert svcs sent ca to ad domain svcs<BR>\\n4896 rows del from cert db<BR>\\n4897 role separation enabled<BR>\\n4898 cert svcs loaded template<BR>\\n4899 cert svcs template updated<BR>\\n4900 cert svcs template sec updated<BR>\\n4902 per-user audit table add<BR>\\n4904 register sec event source<BR>\\n4905 unregister sec event source<BR>\\n4906 crashonauditfail value chg<BR>\\n4907 auditing settings on obj chg<BR>\\n4908 special grps logon table chg<BR>\\n4909 local policy for tbs chg<BR>\\n4910 grp policy for tbs chg<BR>\\n4911 resource attrib of obj chg<BR>\\n4912 per user audit policy chg<BR>\\n4913 access policy on obj chg<BR>\\n4928 ad replica context chg<BR>\\n4929 ad replica context chg<BR>\\n4930 ad replica context chg<BR>\\n4931 ad replica context chg<BR>\\n4932 sync replica of ad context begun<BR>\\n4933 sync replica of ad context ended<BR>\\n4934 attributes of ad obj replicated<BR>\\n4935 replication failure begins<BR>\\n4936 replication failure ends<BR>\\n4937 lingering obj del from replica<BR>\\n4944 fw started policies<BR>\\n4945 rule listed when fw started<BR>\\n4946 fw exception list rule add<BR>\\n4947 fw exception list rule chg<BR>\\n4948 fw exception list rule del<BR>\\n4949 fw settings restored<BR>\\n4950 fw setting chg<BR>\\n4951 fw rule ignored<BR>\\n4952 fw rule ignored partially<BR>\\n4953 fw rule ignored<BR>\\n4954 fw grp policy chg<BR>\\n4956 fw chg active profile<BR>\\n4957 fw not apply rule<BR>\\n4958 fw not apply rule<BR>\\n4960 ipsec drop packet<BR>\\n4961 ipsec drop packet<BR>\\n4962 ipsec drop packet<BR>\\n4963 ipsec drop packet<BR>\\n4964 special grps for new logon<BR>\\n4965 ipsec invalid spi<BR>\\n4976 ipsec invalid neg packet<BR>\\n4977 ipsec invalid neg packet<BR>\\n4978 ipsec invalid neg packet<BR>\\n4979 ipsec sec assoc establ<BR>\\n4980 ipsec sec assoc establ<BR>\\n4981 ipsec sec assoc establ<BR>\\n4982 ipsec sec assoc establ<BR>\\n4983 ipsec extend mode neg fail<BR>\\n4984 ipsec extend mode neg fail<BR>\\n4985 state of transaction chg<BR>\\n5024 fw svc started success<BR>\\n5025 fw svc been stopped<BR>\\n5027 fw svc fail<BR>\\n5028 fw svc fail<BR>\\n5029 fw svc fail<BR>\\n5030 fw svc fail<BR>\\n5031 fw svc blocked app<BR>\\n5032 fw app notify fail<BR>\\n5033 fw driver started success<BR>\\n5034 fw driver been stopped<BR>\\n5035 fw driver fail to start<BR>\\n5037 fw drv err-terminating<BR>\\n5038 image hash invalid<BR>\\n5039 registry key virtualized<BR>\\n5040 ipsec chg auth set<BR>\\n5041 ipsec chg auth set<BR>\\n5042 ipsec chg auth set<BR>\\n5043 ipsec chg connsec rule<BR>\\n5044 ipsec chg connsec rule<BR>\\n5045 ipsec chg connsec rule<BR>\\n5046 ipsec chg crypto set<BR>\\n5047 ipsec chg crypto set<BR>\\n5048 ipsec chg crypto set<BR>\\n5049 ipsec sec assoc<BR>\\n5050 try to disable fw<BR>\\n5051 file virtualized<BR>\\n5056 crypt self test performed<BR>\\n5057 crypt primitive fail<BR>\\n5058 key file operation<BR>\\n5059 key migration operation<BR>\\n5060 verification operation fail<BR>\\n5061 cryptographic operation<BR>\\n5062 crypt self test<BR>\\n5063 crypt provider op attempt<BR>\\n5064 crypt context op attempt<BR>\\n5065 crypt context mod attempt<BR>\\n5066 crypt op attempt<BR>\\n5067 crypt mod attempt<BR>\\n5068 crypt provider op attempt<BR>\\n5069 crypt property op attempt<BR>\\n5070 crypt property op attempt<BR>\\n5071 key access denied<BR>\\n5120 ocsp responder svc started<BR>\\n5121 ocsp responder svc stopped<BR>\\n5122 ocsp responder chg<BR>\\n5123 config chg in ocsp<BR>\\n5124 sec setting update on ocsp<BR>\\n5125 request submitted to ocsp<BR>\\n5126 signing cert updated by ocsp<BR>\\n5127 ocsp updated revocation info<BR>\\n5136 dir svc obj chg<BR>\\n5137 dir svc obj add<BR>\\n5138 dir svc obj undel<BR>\\n5139 dir svc obj moved<BR>\\n5140 net share obj accessed<BR>\\n5141 dir svc obj del<BR>\\n5142 net share obj add<BR>\\n5143 net share obj chg<BR>\\n5144 net share obj del<BR>\\n5145 net share obj checked<BR>\\n5146 filter blocked packet<BR>\\n5147 filter blocked packet<BR>\\n5148 filter detected dos<BR>\\n5149 dos attack subsided<BR>\\n5150 filter blocked packet<BR>\\n5151 filter blocked packet<BR>\\n5152 filter blocked packet<BR>\\n5153 filter blocked packet<BR>\\n5154 filter permit appl<BR>\\n5155 filter blocked appl<BR>\\n5156 filter allowed conn<BR>\\n5157 filter blocked conn<BR>\\n5158 filter permitted local bind<BR>\\n5159 filter blocked local bind<BR>\\n5168 spn check for smb fails<BR>\\n5376 cred mgr creds backed up<BR>\\n5377 cred mgr creds restored<BR>\\n5378 creds delegation disallowed<BR>\\n5440 filter<BR>\\n5441 filter<BR>\\n5442 filter<BR>\\n5443 filter<BR>\\n5444 filter<BR>\\n5446 filter<BR>\\n5447 filter<BR>\\n5448 filter<BR>\\n5449 filter<BR>\\n5450 filter<BR>\\n5451 ipsec quick mode start<BR>\\n5452 ipsec quick mode end<BR>\\n5453 ipsec failed<BR>\\n5456 pastore engine<BR>\\n5457 pastore engine<BR>\\n5458 pastore engine<BR>\\n5459 pastore engine<BR>\\n5460 pastore engine<BR>\\n5461 pastore engine<BR>\\n5462 pastore engine<BR>\\n5463 pastore engine<BR>\\n5464 pastore engine<BR>\\n5465 pastore engine<BR>\\n5466 pastore engine<BR>\\n5467 pastore engine<BR>\\n5468 pastore engine<BR>\\n5471 pastore engine<BR>\\n5472 pastore engine<BR>\\n5473 pastore engine<BR>\\n5474 pastore engine<BR>\\n5477 pastore engine<BR>\\n5478 ipsec started<BR>\\n5479 ipsec shut down<BR>\\n5480 ipsec fail<BR>\\n5483 ipsec fail<BR>\\n5484 ipsec fail<BR>\\n5485 ipsec fail<BR>\\n5632 auth to wireless net<BR>\\n5633 auth to wired net<BR>\\n5712 rpc attempt<BR>\\n5888 obj in com catalog mod<BR>\\n5889 obj in com catalog del<BR>\\n5890 obj in com catalog add<BR>\\n6144 grp sec policy applied<BR>\\n6145 sec policy error<BR>\\n6272 granted access to user<BR>\\n6273 denied access to user<BR>\\n6274 discarded request<BR>\\n6275 discarded request<BR>\\n6276 quarantined user<BR>\\n6277 granted access<BR>\\n6278 granted access<BR>\\n6279 locked acct-repeat fails<BR>\\n6280 unlocked user acct<BR>\\n6281 invalid image page hashes<BR>\\n6400 incorrectly formatted<BR>\\n6401 incorrectly formatted<BR>\\n6402 incorrectly formatted<BR>\\n6403 incorrectly formatted<BR>\\n6404 cache not authenticated<BR>\\n6405 event id reoccurrences<BR>\\n6406 regist for fw filtering<BR>\\n6408 product fail fw regist<BR>\\n6409 svc conn not parsed<BR>\\n6416 new ext device on sys<BR>\"\n  },\n  \"aggs\": [],\n  \"listeners\": {}\n}",
+  "uiStateJSON": "{}",
+  "description": "",
+  "version": 1,
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\n  \"query\": {\n    \"query_string\": {\n      \"query\": \"*\",\n      \"analyze_wildcard\": true\n    }\n  },\n  \"filter\": []\n}"
+  }
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Markup-Powershell b/sof-elk/dashboards/timelineplaso/visualization/TL-Markup-Powershell
new file mode 100644
index 0000000..d5ea098
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Markup-Powershell
@@ -0,0 +1,10 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}"
+  },
+  "version": 1,
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"TL-Markup-Powershell\",\"type\":\"markdown\",\"params\":{\"markdown\":\"If HostName=ConsoleHost then local session  | If HostName=ServerRemoteHost then remote session  \\n--------------------- | ------------------\\nID 400: Engine Started  | ID 6: Creating WSMan Session\\nID 403: Engine Stopped  | ID 169: User X authenticated successfully using NTLM\\nID 40961: PowerShell console is starting up  | ID 81: Processing client request for operation CreateShell\\nID 4100: Error Messages (PS 3.0 and higher)  | ID 134: Sending response for operation DeleteShell  \\nID 7937: Executed cmdlets, scripts, or commands  .. | ID 32850: Creating a server remote session.  Username listed  \\n | ID 32867: Received remoting fragment.  Payload data.  Encoded.  \\n | ID 32868: Sent remoting fragment.  Payload data.  Encoded.\"},\"aggs\":[],\"listeners\":{}}",
+  "title": "TL-Markup-Powershell"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Member_Changes b/sof-elk/dashboards/timelineplaso/visualization/TL-Member_Changes
new file mode 100644
index 0000000..b3fe52d
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Member_Changes
@@ -0,0 +1,11 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"filter\":[]}"
+  },
+  "version": 1,
+  "savedSearchId": "TL-Member_Changes",
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"evt-eventid\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
+  "title": "TL-Member_Changes"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Powershell_all b/sof-elk/dashboards/timelineplaso/visualization/TL-Powershell_all
new file mode 100644
index 0000000..b9e2d57
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Powershell_all
@@ -0,0 +1,11 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"filter\":[]}"
+  },
+  "version": 1,
+  "savedSearchId": "TL-Powershell-All",
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"New Visualization\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"Powershell events over time\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"evt-eventid\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event ID #\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"user_sid.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User SID\",\"row\":true}}],\"listeners\":{}}",
+  "title": "TL-Powershell_all"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-Users-over-time b/sof-elk/dashboards/timelineplaso/visualization/TL-Users-over-time
new file mode 100644
index 0000000..0d13f71
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-Users-over-time
@@ -0,0 +1,10 @@
+{
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"index\":\"timelineplaso-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
+  },
+  "version": 1,
+  "description": "",
+  "uiStateJSON": "{}",
+  "visState": "{\"title\":\"TL - FN and EventID\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user_sid.raw\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
+  "title": "TL - Users over time"
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-mark-group b/sof-elk/dashboards/timelineplaso/visualization/TL-mark-group
new file mode 100644
index 0000000..bc47f03
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-mark-group
@@ -0,0 +1,10 @@
+{
+  "title": "TL-mark-group",
+  "visState": "{\"title\":\"TL-mark-group\",\"type\":\"markdown\",\"params\":{\"markdown\":\"####Group account adds, deletes, modifications \\nColumn 1 | Column 2 | Column 3\\n------ | -------- | -----\\n4727 Security Global Created | 4744 Distrib Local Created | 4749 Distrib Global Created\\n4730 Security Global Deleted | 4750 Distrib Global Changed | 4760 Distrib Universal Changed\\n4731 Security Local Created | 4753 Distrib Global Deleted | 4745 Distrib Local Changed\\n4734 Security Local Deleted | 4755 Security Universal Changed   . | 4763 Distrib Universal Deleted\\n4735 Security Global Changed    . | 4758 Security Universal Deleted | 4748 Distrib Local Deleted\\n4737 Security Local Changed | 4759 Distrib Glob/Univ Deleted\"},\"aggs\":[],\"listeners\":{}}",
+  "uiStateJSON": "{}",
+  "description": "",
+  "version": 1,
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
+  }
+}
diff --git a/sof-elk/dashboards/timelineplaso/visualization/TL-mark-user b/sof-elk/dashboards/timelineplaso/visualization/TL-mark-user
new file mode 100644
index 0000000..5048da5
--- /dev/null
+++ b/sof-elk/dashboards/timelineplaso/visualization/TL-mark-user
@@ -0,0 +1,10 @@
+{
+  "title": "TL-mark-user",
+  "visState": "{\"title\":\"TL-mark-user\",\"type\":\"markdown\",\"params\":{\"markdown\":\"####User account adds, deletes, modifications\\nColumn 1 | Column 2 | Column 3\\n---- | ---- | ----\\n4728 Sec Global Added | 4746 Distrib Local Added | 4756 Sec Univeral Added\\n4729 Sec Global Removed    .| 4747 Distrib Local Removed | 4757 Sec Universal Removed\\n4732 Sec Local Added | 4751 Distrib Global Added | 4761 Distrib Univ Added\\n4733 Sec Local Added | 4752 Distrib Global Removed   . | 4762 Distrib Univ Removed\"},\"aggs\":[],\"listeners\":{}}",
+  "uiStateJSON": "{}",
+  "description": "",
+  "version": 1,
+  "kibanaSavedObjectMeta": {
+    "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
+  }
+}
diff --git a/sof-elk/supporting-scripts/load_all_dashboards.sh b/sof-elk/supporting-scripts/load_all_dashboards.sh
index 5433c7b..0516be1 100755
--- a/sof-elk/supporting-scripts/load_all_dashboards.sh
+++ b/sof-elk/supporting-scripts/load_all_dashboards.sh
@@ -8,16 +8,18 @@
 
 ARGC=$#
 
-es_host=localhost
+es_host=elasticsearch
 es_port=9200
-kibana_host=localhost
+kibana_host=kibana
 kibana_port=5601
 kibana_index=.kibana
 
-kibana_version=$( jq -r '.version' < /usr/share/kibana/package.json )
-kibana_build=$(jq -r '.build.number' < /usr/share/kibana/package.json )
+kibana_version=${ES_VERSION:-6.5.0}
+kibana_build=${ES_VERSION:-6.5.0}
 
-dashboard_dir="/usr/local/sof-elk/dashboards/"
+#sofelk_dir="/usr/local/sof-elk"
+sofelk_dir=$(pwd)/sof-elk
+dashboard_dir=${sofelk_dir}/dashboards
 
 # enter a holding pattern until the elasticsearch server is available, but don't wait too long
 max_wait=60
@@ -35,8 +37,8 @@ done
 # re-insert all ES templates in case anything has changed
 # this will not change existing mappings, just new indexes as they are created
 # (And why-oh-why isn't this handled by "template_overwrite = true" in the logstash output section?!?!?!?!)
-for es_template in $( ls -1 /usr/local/sof-elk/lib/elasticsearch-*-template.json | sed 's/.*elasticsearch-\(.*\)-template.json/\1/' ); do
-    curl -s -XPUT -H 'Content-Type: application/json' http://${es_host}:${es_port}/_template/${es_template} -d @/usr/local/sof-elk/lib/elasticsearch-${es_template}-template.json > /dev/null
+for es_template in $( ls -1 ${sofelk_dir}/lib/elasticsearch-*-template.json | sed 's/.*elasticsearch-\(.*\)-template.json/\1/' ); do
+    curl -s -XPUT -H 'Content-Type: application/json' http://${es_host}:${es_port}/_template/${es_template} -d @${sofelk_dir}/lib/elasticsearch-${es_template}-template.json > /dev/null
 done
 
 # set the default index pattern, time zone, and add TZ offset to the default date format 
diff --git a/startup/Dockerfile b/startup/Dockerfile
new file mode 100644
index 0000000..1bfee6c
--- /dev/null
+++ b/startup/Dockerfile
@@ -0,0 +1,12 @@
+# This file is used to run necessary startup and various tasks in the stack
+
+FROM debian:9
+
+RUN apt-get update && apt-get install -y curl
+
+RUN mkdir /app
+COPY startup.sh /app
+WORKDIR /app
+RUN chmod +x startup.sh
+
+CMD ./startup.sh
\ No newline at end of file
diff --git a/startup/startup.sh b/startup/startup.sh
new file mode 100644
index 0000000..408bf9c
--- /dev/null
+++ b/startup/startup.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo "Running scripts"
+if [ -f /sof-elk/already_done ]; then
+    echo "Already ran scripts!"
+    exit 0
+fi
+#touch /sof-elk/already_done
+
+bash /sof-elk/supporting-scripts/load_all_dashboards.sh
\ No newline at end of file