-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Winlogbeat Security new dashboards - Older dashboards improvements #18775
Winlogbeat Security new dashboards - Older dashboards improvements #18775
Conversation
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
jenkins, run tests please |
Pinging @elastic/siem (Team:SIEM) |
I also gave the file names instead of UUIDs since the export_dashboard.go tool does with when you use the -yml option.
jenkins, run tests |
jenkins, run tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These look great. Thank you!
I'll probably adopt that header format across all of the dashboards.
…lastic#18775) This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (elastic#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <[email protected]>
While testing some issues with index patterns and winlogbeat dashboards I've realize that this dashboards are not in winlogbeat 7.9.x. |
…lastic#18775) This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (elastic#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 7b9c535)
…18775) (#22598) This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 7b9c535) Co-authored-by: Anabella Cristaldi <[email protected]>
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
What does this PR do?
This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard
New Dashboards
Existing Dashboards
All Dashboards
Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
Visualization that use may events (like group management related visualizations)
were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)
Removed the margin between panels to look in the same way that other beats dashboards
TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors
Why is it important?
These dashboards allows to take profit of the events processed by the winlogbeat security.
All of them were created for real life companies (a telco company and a hospital) and are heavily used in the day-by-day security operation.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Screenshots
Failed and Blocked Accounts
User Logons
Group Managment
User Management