Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Winlogbeat Security new dashboards - Older dashboards improvements #18775

Merged
merged 5 commits into from
Jun 4, 2020
Merged

Winlogbeat Security new dashboards - Older dashboards improvements #18775

merged 5 commits into from
Jun 4, 2020

Conversation

janniten
Copy link
Contributor

@janniten janniten commented May 27, 2020

What does this PR do?

This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

  • User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
  • Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

All Dashboards

  • Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

  • Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

  • Removed the margin between panels to look in the same way that other beats dashboards

  • TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Why is it important?

These dashboards allows to take profit of the events processed by the winlogbeat security.
All of them were created for real life companies (a telco company and a hospital) and are heavily used in the day-by-day security operation.

Checklist

  • My code follows the style guidelines of this project
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Screenshots

Failed and Blocked Accounts
Screenshot_2020-05-27  Winlogbeat Security  Failed and Blocked Accounts - Elastic Kibana

User Logons
Screenshot_2020-05-27  Winlogbeat Security  User Logons - Elastic Kibana

Group Managment
Screenshot_2020-05-27  Winlogbeat Security  Group Management Events - Elastic Kibana

User Management

Screenshot_2020-05-27  Winlogbeat Security  User Management Events - Elastic Kibana

@janniten janniten requested a review from a team as a code owner May 27, 2020 13:51
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 27, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented May 27, 2020

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [andrewkroh commented: jenkins, run tests]

  • Start Time: 2020-06-04T21:06:15.374+0000

  • Duration: 38 min 24 sec

Test stats 🧪

Test Results
Failed 0
Passed 598
Skipped 127
Total 725

@andrewkroh
Copy link
Member

jenkins, run tests please

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 27, 2020
@botelastic botelastic bot added the Team:Automation Label for the Observability productivity team label Jun 4, 2020
janniten and others added 3 commits June 4, 2020 13:19
I also gave the file names instead of UUIDs since the export_dashboard.go tool does with when you use the -yml option.
@andrewkroh
Copy link
Member

jenkins, run tests

@andrewkroh andrewkroh removed the Team:Automation Label for the Observability productivity team label Jun 4, 2020
@andrewkroh
Copy link
Member

jenkins, run tests

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These look great. Thank you!

I'll probably adopt that header format across all of the dashboards.

@andrewkroh andrewkroh merged commit 7b9c535 into elastic:master Jun 4, 2020
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
…lastic#18775)

This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (elastic#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <[email protected]>
@janniten
Copy link
Contributor Author

janniten commented Oct 23, 2020

While testing some issues with index patterns and winlogbeat dashboards I've realize that this dashboards are not in winlogbeat 7.9.x.
The older version is installed instead (#15236).
The new version fixes some issues and adds functionality.
Is there any reason why this dashboards (#18775) are not used? @andrewkroh Should I modify something?
Thank you

andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Nov 16, 2020
…lastic#18775)

This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (elastic#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 7b9c535)
andrewkroh added a commit that referenced this pull request Nov 30, 2020
…18775) (#22598)

This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 7b9c535)

Co-authored-by: Anabella Cristaldi <[email protected]>
efd6 added a commit to efd6/integrations that referenced this pull request Mar 20, 2023
The dashboards were imported together from beats where they co-existed
after the second sets addition. The changes that added them to beats
appear to have been:

- elastic/beats#18775
- elastic/beats#15236
efd6 added a commit to elastic/integrations that referenced this pull request Mar 20, 2023
The dashboards were imported together from beats where they co-existed
after the second sets addition. The changes that added them to beats
appear to have been:

- elastic/beats#18775
- elastic/beats#15236
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants