Analysis updated 2026-05-18
Import ready-made threat hunting dashboards into Security Onion 3.0 and start hunting DNS, HTTP, or SMB anomalies immediately
Baseline normal network behavior for a protocol, then use the rare-event tables to surface suspicious outliers
Use the MITRE ATT&CK panel annotations to teach junior analysts what attack patterns to look for in each protocol
Add ICS protocol threat hunt coverage for Modbus and DNP3 in an industrial network security monitoring setup
| jconeby/elastic-peak-dashboards | 0marildo/imago | abdurrafey237/rag-chatbot | |
|---|---|---|---|
| Stars | 3 | 3 | 3 |
| Language | — | Python | Jupyter Notebook |
| Setup difficulty | moderate | easy | moderate |
| Complexity | 3/5 | 2/5 | 3/5 |
| Audience | ops devops | general | general |
Figures from each repo's GitHub metadata at analysis time.
Requires an existing Security Onion 3.0 deployment with Kibana, Zeek, and Suricata producing data before importing the NDJSON dashboard files.
Elastic PEAK Dashboards is a collection of ready-made security monitoring dashboards for Kibana, designed for analysts who want to hunt for cyber threats on their network. You import the dashboard files into a Kibana instance that is already receiving network traffic data from Security Onion 3.0, and the dashboards immediately provide structured views for investigating suspicious activity. The dashboards follow a methodology called PEAK, which stands for Prepare, Execute, Act with Knowledge. The core idea is that you cannot recognize something suspicious until you know what normal looks like. Each dashboard is built in two phases: first it shows what normal traffic looks like for a given network protocol (total volume, most-common sources, typical patterns), and then it highlights outliers: rare connections, unusual values, and statistically uncommon combinations that might indicate an attacker. Finding the low-frequency events is where actual threat hunting happens. The collection covers a wide range of network protocols: DNS, HTTP, TLS certificates, SMB file sharing, Kerberos authentication, SSH, RDP, and industrial control system protocols like Modbus and DNP3. Each dashboard also includes a plain-text explanation panel describing what the protocol does, what specific attack patterns to look for, and which MITRE ATT&CK technique codes apply. This makes the dashboards useful as training material for newer analysts, not only as hunt tools for experienced ones. Installing a dashboard requires Kibana running with Security Onion 3.0, plus the Zeek and Suricata data feeds it generates. To add a dashboard, you import its NDJSON file through the Kibana saved objects menu. Each file is self-contained and needs no extra configuration beyond confirming that the default index pattern exists.
Importable Kibana dashboards that implement the PEAK Baseline Threat Hunt methodology across 15+ network protocols, with MITRE ATT&CK mappings, for Security Onion 3.0.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.