explaingit

jconeby/elastic-peak-dashboards

Analysis updated 2026-05-18

3Audience · ops devopsComplexity · 3/5Setup · moderate

TLDR

Importable Kibana dashboards that implement the PEAK Baseline Threat Hunt methodology across 15+ network protocols, with MITRE ATT&CK mappings, for Security Onion 3.0.

Mindmap

mindmap
  root((repo))
    What it is
      Kibana dashboards
      Threat hunt tool
      PEAK methodology
    Protocols Covered
      DNS HTTP TLS
      SMB Kerberos SSH
      ICS Modbus DNP3
    Dashboard Design
      Baseline phase
      Deviation phase
      MITRE ATT&CK tags
    Setup
      Security Onion 3.0
      Import ndjson file
      Zeek and Suricata
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Import ready-made threat hunting dashboards into Security Onion 3.0 and start hunting DNS, HTTP, or SMB anomalies immediately

USE CASE 2

Baseline normal network behavior for a protocol, then use the rare-event tables to surface suspicious outliers

USE CASE 3

Use the MITRE ATT&CK panel annotations to teach junior analysts what attack patterns to look for in each protocol

USE CASE 4

Add ICS protocol threat hunt coverage for Modbus and DNP3 in an industrial network security monitoring setup

What is it built with?

KibanaElasticsearchZeekSuricataNDJSON

How does it compare?

jconeby/elastic-peak-dashboards0marildo/imagoabdurrafey237/rag-chatbot
Stars333
LanguagePythonJupyter Notebook
Setup difficultymoderateeasymoderate
Complexity3/52/53/5
Audienceops devopsgeneralgeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires an existing Security Onion 3.0 deployment with Kibana, Zeek, and Suricata producing data before importing the NDJSON dashboard files.

In plain English

Elastic PEAK Dashboards is a collection of ready-made security monitoring dashboards for Kibana, designed for analysts who want to hunt for cyber threats on their network. You import the dashboard files into a Kibana instance that is already receiving network traffic data from Security Onion 3.0, and the dashboards immediately provide structured views for investigating suspicious activity. The dashboards follow a methodology called PEAK, which stands for Prepare, Execute, Act with Knowledge. The core idea is that you cannot recognize something suspicious until you know what normal looks like. Each dashboard is built in two phases: first it shows what normal traffic looks like for a given network protocol (total volume, most-common sources, typical patterns), and then it highlights outliers: rare connections, unusual values, and statistically uncommon combinations that might indicate an attacker. Finding the low-frequency events is where actual threat hunting happens. The collection covers a wide range of network protocols: DNS, HTTP, TLS certificates, SMB file sharing, Kerberos authentication, SSH, RDP, and industrial control system protocols like Modbus and DNP3. Each dashboard also includes a plain-text explanation panel describing what the protocol does, what specific attack patterns to look for, and which MITRE ATT&CK technique codes apply. This makes the dashboards useful as training material for newer analysts, not only as hunt tools for experienced ones. Installing a dashboard requires Kibana running with Security Onion 3.0, plus the Zeek and Suricata data feeds it generates. To add a dashboard, you import its NDJSON file through the Kibana saved objects menu. Each file is self-contained and needs no extra configuration beyond confirming that the default index pattern exists.

Copy-paste prompts

Prompt 1
How do I import the PEAK Baseline Threat Hunt dashboards into Kibana on Security Onion 3.0? Walk me through the import steps and any prerequisites.
Prompt 2
I want to hunt for Kerberoasting in my Active Directory environment using the PEAK Kerberos dashboard. What fields and patterns indicate an attack?
Prompt 3
How does the PEAK methodology work? Explain the two-phase baseline-then-deviate design used across these Kibana dashboards.
Prompt 4
I'm looking for DNS tunneling or C2 communication in my network. What rare query patterns or fields in the PEAK DNS dashboard should I investigate?

Frequently asked questions

What is elastic-peak-dashboards?

Importable Kibana dashboards that implement the PEAK Baseline Threat Hunt methodology across 15+ network protocols, with MITRE ATT&CK mappings, for Security Onion 3.0.

How hard is elastic-peak-dashboards to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is elastic-peak-dashboards for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub jconeby on gitmyhub

Verify against the repo before relying on details.