diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index dcfe6e3c9ab..7d155d3ca72 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -477,6 +477,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Set process.command_line and process.parent.command_line from Sysmon Event ID 1. {pull}17327[17327] - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517] - Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058] +- Add new winlogbeat security dashboard {pull}18775[18775] ==== Deprecated diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-failed-blocked-accounts-tsvb.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-failed-blocked-accounts-tsvb.json new file mode 100644 index 00000000000..b6856b1f66b --- /dev/null +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-failed-blocked-accounts-tsvb.json @@ -0,0 +1,2018 @@ +{ + "objects": [ + { + "attributes": { + "description": "Failed and blocked accounts with TSVB metrics.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "1", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "Failed Logins": "#EF843C", + "Failed Logons": "#E24D42", + "Successful Login": "#B7DBAB", + "Successful Logon": "#9AC48A" + }, + "legendOpen": true, + "title": "Login Successful vs Failed", + "vis": { + "colors": { + "Failed Logins": "#EF843C", + "Failed Logons": "#BF1B00", + "Successful Login": "#B7DBAB", + "Successful Logon": "#9AC48A" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 18, + "i": "2", + "w": 12, + "x": 0, + "y": 7 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "title": "Login Successful vs Failed", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Blocked Acoounts" + }, + "gridData": { + "h": 21, + "i": "3", + "w": 11, + "x": 12, + "y": 35 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "title": "Blocked Acoounts", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "Login Failed": "#F9934E", + "Login OK": "#9AC48A", + "Logon Failed": "#E24D42", + "Logon Successful": "#9AC48A" + }, + "legendOpen": true, + "title": "Logon Successful and Failed Over time", + "vis": { + "colors": { + "Login Failed": "#F9934E", + "Login OK": "#9AC48A", + "Logon Failed": "#BF1B00", + "Logon Successful": "#9AC48A" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 18, + "i": "4", + "w": 23, + "x": 12, + "y": 7 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "title": "Logon Successful and Failed Over time", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 21, + "i": "5", + "w": 12, + "x": 0, + "y": 35 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Failed (Time Mosaic View)", + "vis": { + "defaultColors": { + "0 - 5": "rgb(255,245,240)", + "10 - 15": "rgb(252,138,106)", + "15 - 20": "rgb(241,68,50)", + "20 - 24": "rgb(188,20,26)", + "5 - 10": "rgb(253,202,181)" + }, + "legendOpen": false + } + }, + "gridData": { + "h": 30, + "i": "6", + "w": 48, + "x": 0, + "y": 56 + }, + "panelIndex": "6", + "panelRefName": "panel_5", + "title": "Logon Failed (Time Mosaic View)", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Failed and Account Lockouts" + }, + "gridData": { + "h": 20, + "i": "8", + "w": 48, + "x": 0, + "y": 86 + }, + "panelIndex": "8", + "panelRefName": "panel_6", + "title": "Logon Failed and Account Lockouts", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Failed Source IPs" + }, + "gridData": { + "h": 18, + "i": "10", + "w": 13, + "x": 35, + "y": 7 + }, + "panelIndex": "10", + "panelRefName": "panel_7", + "title": "Logon Failed Source IPs", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Failed Logins Table" + }, + "gridData": { + "h": 31, + "i": "11", + "w": 25, + "x": 23, + "y": 25 + }, + "panelIndex": "11", + "panelRefName": "panel_8", + "title": "Failed Logins Table", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "628de26f-7b7b-457c-b811-e06161e4e7b4", + "w": 34, + "x": 14, + "y": 0 + }, + "panelIndex": "628de26f-7b7b-457c-b811-e06161e4e7b4", + "panelRefName": "panel_9", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 10, + "i": "01a624c2-7a86-4fa9-89d3-e2ae84e94ec9", + "w": 12, + "x": 0, + "y": 25 + }, + "panelIndex": "01a624c2-7a86-4fa9-89d3-e2ae84e94ec9", + "panelRefName": "panel_10", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 10, + "i": "e3046900-1ffc-4efa-9dab-613d685c617b", + "w": 11, + "x": 12, + "y": 25 + }, + "panelIndex": "e3046900-1ffc-4efa-9dab-613d685c617b", + "panelRefName": "panel_11", + "version": "7.7.0" + } + ], + "timeRestore": false, + "title": "[Winlogbeat Security] Failed and Blocked Accounts", + "version": 1 + }, + "id": "d401ef40-a7d5-11e9-a422-d144027429da", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "c2ea73f0-a4bd-11e9-a422-d144027429da", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "175a5760-a7d5-11e9-a422-d144027429da", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "7a329a00-a7d5-11e9-a422-d144027429da", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "162d7ab0-a7d6-11e9-a422-d144027429da", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "729443b0-a7d6-11e9-a422-d144027429da", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "4b683ac0-a7d7-11e9-a422-d144027429da", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "757510b0-a87f-11e9-a422-d144027429da", + "name": "panel_6", + "type": "search" + }, + { + "id": "2084e300-a884-11e9-a422-d144027429da", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "421f0610-af98-11e9-a422-d144027429da", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "8ef59f90-6ab8-11ea-896f-0d70f7ec3956", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "a79395f0-6aba-11ea-896f-0d70f7ec3956", + "name": "panel_11", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-06-04T16:26:28.275Z", + "version": "WzE1MSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Failed Logon and Account Lockout [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 10, + "markdown": "### **Failed Logons and Account Lockouts**", + "openLinksInNewTab": false + }, + "title": "Failed Logon and Account Lockout [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "c2ea73f0-a4bd-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Successful vs Failed [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "colors": { + "Failed Logins": "#EF843C", + "Failed Logons": "#EA6460", + "Successful Login": "#B7DBAB", + "Successful Logon": "#B7DBAB" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "lucene", + "query": "event.code: 4624" + }, + "label": "Successful Logon" + }, + { + "input": { + "language": "lucene", + "query": "event.code: 4625" + }, + "label": "Failed Logons" + } + ] + }, + "schema": "segment", + "type": "filters" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "filters", + "format": {}, + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "type": "pie" + }, + "title": "Logon Successful vs Failed [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "175a5760-a7d5-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2NiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4740" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4740", + "type": "phrase" + } + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Blocked Accounts Tag [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 53, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Blocked Accounts Tag [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "7a329a00-a7d5-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2NywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Successful - Logon Failed Timeline [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "colors": { + "Login Failed": "#F9934E", + "Login OK": "#9AC48A", + "Logon Failed": "#EF843C", + "Logon Successful": "#9AC48A" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-17T09:37:55.995Z", + "to": "2020-05-22T03:09:27.260Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "filters": [ + { + "input": { + "language": "lucene", + "query": "event.code: 4624" + }, + "label": "Logon Successful" + }, + { + "input": { + "language": "lucene", + "query": "event.code: 4625" + }, + "label": "Logon Failed" + } + ] + }, + "schema": "group", + "type": "filters" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "filters", + "format": {}, + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "HH:mm" + } + }, + "params": { + "bounds": { + "max": "2019-07-16T14:30:11.515Z", + "min": "2019-07-16T12:30:11.514Z" + }, + "date": true, + "format": "HH:mm", + "interval": "PT1M" + } + }, + "y": [ + { + "accessor": 2, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "bottom", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Logon Successful - Logon Failed Timeline [Winlogbeat Security]", + "type": "histogram" + } + }, + "id": "162d7ab0-a7d6-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625", + "4771" + ], + "type": "phrases", + "value": "4625, 4771" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + }, + { + "match_phrase": { + "event.code": "4771" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Failed Acconts [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 37, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 15, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Logon Failed Acconts [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "729443b0-a7d6-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2OSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625" + ], + "type": "phrases", + "value": "4625" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Failed Logon HeatMap [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 4": "rgb(255,255,204)", + "12 - 16": "rgb(252,91,46)", + "16 - 20": "rgb(212,16,32)", + "4 - 8": "rgb(254,225,135)", + "8 - 12": "rgb(254,171,73)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 15 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "drop_partials": true, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "h", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-17T09:37:55.995Z", + "to": "2020-05-22T03:09:27.260Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "group", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTooltip": false, + "colorSchema": "Yellow to Red", + "colorsNumber": 5, + "colorsRange": [], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "YYYY-MM-DD HH:mm" + } + }, + "label": "@timestamp per hour", + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "user.name: Descending", + "params": {} + }, + "y": [ + { + "accessor": 2, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + ] + }, + "enableHover": true, + "invertColors": false, + "legendPosition": "bottom", + "percentageMode": false, + "setColorRange": false, + "times": [], + "type": "heatmap", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "black", + "overwriteColor": false, + "rotate": 0, + "show": true + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "Failed Logon HeatMap [Winlogbeat Security]", + "type": "heatmap" + } + }, + "id": "4b683ac0-a7d7-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MCwxXQ==" + }, + { + "attributes": { + "columns": [ + "event.action", + "user.name", + "related.user", + "user.domain", + "source.domain", + "source.ip", + "winlog.event_data.SubjectUserName" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625", + "4740" + ], + "type": "phrases", + "value": "4625, 4740" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "3. Login Failed Details", + "version": 1 + }, + "id": "757510b0-a87f-11e9-a422-d144027429da", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4625", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Failed Source IP [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "ip", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 38, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 10, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Logon Failed Source IP [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "2084e300-a884-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4625", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Failed Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Time Bucket", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "h", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-17T09:37:55.995Z", + "to": "2020-05-22T03:09:27.260Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "bucket", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "user.name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1000 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "source workstation", + "field": "source.domain", + "json": "{\"missing\": \"N/A\"}", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "source.ip", + "field": "source.ip", + "json": "{\"missing\": \"::\"}", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "event.action", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "7", + "params": { + "customLabel": "winlog.logon.type", + "field": "winlog.logon.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "8", + "params": { + "customLabel": "winlog.event_data.SubjectUserName", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "YYYY-MM-DD HH:mm" + } + }, + "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 3, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "ip", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 4, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 5, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 15, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Logon Failed Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "421f0610-af98-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboard links [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat Overview](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:49:11.152Z", + "version": "WzI1MCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Failed Logons TSVB [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(204,204,204,1)", + "id": "8d597960-ff18-11e9-8249-2371c695f3b0", + "operator": "lte", + "value": 0 + }, + { + "background_color": "rgba(181,99,93,1)", + "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", + "operator": "gte", + "value": 1 + } + ], + "default_index_pattern": "packetbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 0, + "filter": { + "language": "kuery", + "query": "event.code: \"4625\" and winlog.provider_name : \"Microsoft-Windows-Security-Auditing\" " + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "winlogbeat-*", + "interval": "90d", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Failed Logon", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Failed Logons TSVB [Winlogbeat Security]", + "type": "metrics" + } + }, + "id": "8ef59f90-6ab8-11ea-896f-0d70f7ec3956", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:28.275Z", + "version": "WzE2MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Blocked Accounts TSVB [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(204,204,204,1)", + "color": "rgba(51,51,51,1)", + "id": "8d597960-ff18-11e9-8249-2371c695f3b0", + "operator": "lte", + "value": 0 + }, + { + "background_color": "rgba(102,102,102,1)", + "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", + "operator": "gte", + "value": 1 + } + ], + "default_index_pattern": "packetbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 0, + "filter": { + "language": "kuery", + "query": "event.code: \"4740\"" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "winlogbeat-*", + "interval": "90d", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Blocked Accounts", + "line_width": 1, + "metrics": [ + { + "field": "user.name", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "cardinality" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Blocked Accounts TSVB [Winlogbeat Security]", + "type": "metrics" + } + }, + "id": "a79395f0-6aba-11ea-896f-0d70f7ec3956", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:28.275Z", + "version": "WzE2MywxXQ==" + } + ], + "version": "7.7.0" +} diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-failed-blocked-accounts.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-failed-blocked-accounts.json new file mode 100644 index 00000000000..410fb321322 --- /dev/null +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-failed-blocked-accounts.json @@ -0,0 +1,2073 @@ +{ + "objects": [ + { + "attributes": { + "description": "Failed and blocked accounts.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "1", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "Failed Logins": "#EF843C", + "Failed Logons": "#E24D42", + "Successful Login": "#B7DBAB", + "Successful Logon": "#9AC48A" + }, + "legendOpen": true, + "title": "Login Successful vs Failed", + "vis": { + "colors": { + "Failed Logins": "#EF843C", + "Failed Logons": "#BF1B00", + "Successful Login": "#B7DBAB", + "Successful Logon": "#9AC48A" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 18, + "i": "2", + "w": 12, + "x": 0, + "y": 7 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "title": "Login Successful vs Failed", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Blocked Acoounts" + }, + "gridData": { + "h": 21, + "i": "3", + "w": 11, + "x": 12, + "y": 35 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "title": "Blocked Acoounts", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "Login Failed": "#F9934E", + "Login OK": "#9AC48A", + "Logon Failed": "#E24D42", + "Logon Successful": "#9AC48A" + }, + "legendOpen": true, + "title": "Logon Successful and Failed Over time", + "vis": { + "colors": { + "Login Failed": "#F9934E", + "Login OK": "#9AC48A", + "Logon Failed": "#BF1B00", + "Logon Successful": "#9AC48A" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 18, + "i": "4", + "w": 23, + "x": 12, + "y": 7 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "title": "Logon Successful and Failed Over time", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 21, + "i": "5", + "w": 12, + "x": 0, + "y": 35 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Failed (Time Mosaic View)", + "vis": { + "defaultColors": { + "0 - 5": "rgb(255,245,240)", + "10 - 15": "rgb(252,138,106)", + "15 - 20": "rgb(241,68,50)", + "20 - 24": "rgb(188,20,26)", + "5 - 10": "rgb(253,202,181)" + }, + "legendOpen": false + } + }, + "gridData": { + "h": 30, + "i": "6", + "w": 48, + "x": 0, + "y": 56 + }, + "panelIndex": "6", + "panelRefName": "panel_5", + "title": "Logon Failed (Time Mosaic View)", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Failed and Account Lockouts" + }, + "gridData": { + "h": 20, + "i": "8", + "w": 48, + "x": 0, + "y": 86 + }, + "panelIndex": "8", + "panelRefName": "panel_6", + "title": "Logon Failed and Account Lockouts", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Failed Source IPs" + }, + "gridData": { + "h": 18, + "i": "10", + "w": 13, + "x": 35, + "y": 7 + }, + "panelIndex": "10", + "panelRefName": "panel_7", + "title": "Logon Failed Source IPs", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Failed Logins Table" + }, + "gridData": { + "h": 31, + "i": "11", + "w": 25, + "x": 23, + "y": 25 + }, + "panelIndex": "11", + "panelRefName": "panel_8", + "title": "Failed Logins Table", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "a79ee89f-ff45-486c-9788-9446d39456c2", + "w": 34, + "x": 14, + "y": 0 + }, + "panelIndex": "a79ee89f-ff45-486c-9788-9446d39456c2", + "panelRefName": "panel_9", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 10, + "i": "7765df59-11c4-476d-898f-9ebf98c369e2", + "w": 11, + "x": 12, + "y": 25 + }, + "panelIndex": "7765df59-11c4-476d-898f-9ebf98c369e2", + "panelRefName": "panel_10", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 10, + "i": "b47c91d3-58c4-4b5b-b302-444b048efdfa", + "w": 12, + "x": 0, + "y": 25 + }, + "panelIndex": "b47c91d3-58c4-4b5b-b302-444b048efdfa", + "panelRefName": "panel_11", + "version": "7.7.0" + } + ], + "timeRestore": false, + "title": "[Winlogbeat Security] Failed and Blocked Accounts - Simple Metrics", + "version": 1 + }, + "id": "f49f3170-9ffc-11ea-87e4-49f31ec44891", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "c2ea73f0-a4bd-11e9-a422-d144027429da", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "175a5760-a7d5-11e9-a422-d144027429da", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "7a329a00-a7d5-11e9-a422-d144027429da", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "162d7ab0-a7d6-11e9-a422-d144027429da", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "729443b0-a7d6-11e9-a422-d144027429da", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "4b683ac0-a7d7-11e9-a422-d144027429da", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "757510b0-a87f-11e9-a422-d144027429da", + "name": "panel_6", + "type": "search" + }, + { + "id": "2084e300-a884-11e9-a422-d144027429da", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "421f0610-af98-11e9-a422-d144027429da", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "5d117970-9ffd-11ea-87e4-49f31ec44891", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "4bedf650-9ffd-11ea-87e4-49f31ec44891", + "name": "panel_11", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Failed Logon and Account Lockout [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 10, + "markdown": "### **Failed Logons and Account Lockouts**", + "openLinksInNewTab": false + }, + "title": "Failed Logon and Account Lockout [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "c2ea73f0-a4bd-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Successful vs Failed [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "colors": { + "Failed Logins": "#EF843C", + "Failed Logons": "#EA6460", + "Successful Login": "#B7DBAB", + "Successful Logon": "#B7DBAB" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "lucene", + "query": "event.code: 4624" + }, + "label": "Successful Logon" + }, + { + "input": { + "language": "lucene", + "query": "event.code: 4625" + }, + "label": "Failed Logons" + } + ] + }, + "schema": "segment", + "type": "filters" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "filters", + "format": {}, + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "type": "pie" + }, + "title": "Logon Successful vs Failed [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "175a5760-a7d5-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2NiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4740" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4740", + "type": "phrase" + } + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Blocked Accounts Tag [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 53, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Blocked Accounts Tag [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "7a329a00-a7d5-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2NywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Successful - Logon Failed Timeline [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "colors": { + "Login Failed": "#F9934E", + "Login OK": "#9AC48A", + "Logon Failed": "#EF843C", + "Logon Successful": "#9AC48A" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-17T09:37:55.995Z", + "to": "2020-05-22T03:09:27.260Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "filters": [ + { + "input": { + "language": "lucene", + "query": "event.code: 4624" + }, + "label": "Logon Successful" + }, + { + "input": { + "language": "lucene", + "query": "event.code: 4625" + }, + "label": "Logon Failed" + } + ] + }, + "schema": "group", + "type": "filters" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "filters", + "format": {}, + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "HH:mm" + } + }, + "params": { + "bounds": { + "max": "2019-07-16T14:30:11.515Z", + "min": "2019-07-16T12:30:11.514Z" + }, + "date": true, + "format": "HH:mm", + "interval": "PT1M" + } + }, + "y": [ + { + "accessor": 2, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "bottom", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Logon Successful - Logon Failed Timeline [Winlogbeat Security]", + "type": "histogram" + } + }, + "id": "162d7ab0-a7d6-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625", + "4771" + ], + "type": "phrases", + "value": "4625, 4771" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + }, + { + "match_phrase": { + "event.code": "4771" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Failed Acconts [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 37, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 15, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Logon Failed Acconts [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "729443b0-a7d6-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE2OSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625" + ], + "type": "phrases", + "value": "4625" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Failed Logon HeatMap [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 4": "rgb(255,255,204)", + "12 - 16": "rgb(252,91,46)", + "16 - 20": "rgb(212,16,32)", + "4 - 8": "rgb(254,225,135)", + "8 - 12": "rgb(254,171,73)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 15 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "drop_partials": true, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "h", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-17T09:37:55.995Z", + "to": "2020-05-22T03:09:27.260Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "group", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTooltip": false, + "colorSchema": "Yellow to Red", + "colorsNumber": 5, + "colorsRange": [], + "dimensions": { + "series": [ + { + "accessor": 1, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "YYYY-MM-DD HH:mm" + } + }, + "label": "@timestamp per hour", + "params": {} + } + ], + "x": { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "user.name: Descending", + "params": {} + }, + "y": [ + { + "accessor": 2, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Count", + "params": {} + } + ] + }, + "enableHover": true, + "invertColors": false, + "legendPosition": "bottom", + "percentageMode": false, + "setColorRange": false, + "times": [], + "type": "heatmap", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "black", + "overwriteColor": false, + "rotate": 0, + "show": true + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "Failed Logon HeatMap [Winlogbeat Security]", + "type": "heatmap" + } + }, + "id": "4b683ac0-a7d7-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MCwxXQ==" + }, + { + "attributes": { + "columns": [ + "event.action", + "user.name", + "related.user", + "user.domain", + "source.domain", + "source.ip", + "winlog.event_data.SubjectUserName" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4625", + "4740" + ], + "type": "phrases", + "value": "4625, 4740" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4625" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "3. Login Failed Details", + "version": 1 + }, + "id": "757510b0-a87f-11e9-a422-d144027429da", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4625", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Failed Source IP [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "bucket": { + "accessor": 0, + "format": { + "id": "terms", + "params": { + "id": "ip", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "type": "vis_dimension" + }, + "maxFontSize": 38, + "metric": { + "accessor": 1, + "format": { + "id": "string", + "params": {} + }, + "type": "vis_dimension" + }, + "minFontSize": 10, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Logon Failed Source IP [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "2084e300-a884-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4625", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Failed Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Time Bucket", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "h", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-17T09:37:55.995Z", + "to": "2020-05-22T03:09:27.260Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "bucket", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "user.name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1000 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "source workstation", + "field": "source.domain", + "json": "{\"missing\": \"N/A\"}", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "source.ip", + "field": "source.ip", + "json": "{\"missing\": \"::\"}", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "event.action", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "7", + "params": { + "customLabel": "winlog.logon.type", + "field": "winlog.logon.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "8", + "params": { + "customLabel": "winlog.event_data.SubjectUserName", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "YYYY-MM-DD HH:mm" + } + }, + "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 3, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "ip", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 4, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 5, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 15, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Logon Failed Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "421f0610-af98-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3MywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboard links - Simple [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat General ECS Dashboard](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/01c54730-fee6-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links - Simple [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4740" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4740" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Blocked Accounts [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Blocked Accounts", + "field": "user.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Blocked Accounts [Winlogbeat Security]", + "type": "metric" + } + }, + "id": "5d117970-9ffd-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4625" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": " Failed Logons [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Failed Logons" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": " Failed Logons [Winlogbeat Security]", + "type": "metric" + } + }, + "id": "4bedf650-9ffd-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3NiwxXQ==" + } + ], + "version": "7.7.0" +} diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/01c54730-fee6-11e9-8405-516218e3d268.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-group-management-tsvb.json similarity index 81% rename from x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/01c54730-fee6-11e9-8405-516218e3d268.json rename to x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-group-management-tsvb.json index 94328a56ebb..0c488dfc117 100644 --- a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/01c54730-fee6-11e9-8405-516218e3d268.json +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-group-management-tsvb.json @@ -2,7 +2,7 @@ "objects": [ { "attributes": { - "description": "Uses Simple Metric Visualizations", + "description": "Group management activity with TSVB metrics.", "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -15,13 +15,15 @@ }, "optionsJSON": { "hidePanelTitles": false, - "useMargins": true + "useMargins": false }, "panelsJSON": [ { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 22, + "h": 8, "i": "22", "w": 17, "x": 0, @@ -29,272 +31,341 @@ }, "panelIndex": "22", "panelRefName": "panel_0", - "title": "", - "version": "7.3.1" - }, - { - "embeddableConfig": { - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 22, - "i": "23", - "w": 22, - "x": 17, - "y": 0 - }, - "panelIndex": "23", - "panelRefName": "panel_1", - "title": "Group Management Actions [Winlogbeat Security]", - "version": "7.3.1" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 22, - "i": "25", - "w": 9, - "x": 39, - "y": 0 - }, - "panelIndex": "25", - "panelRefName": "panel_2", - "title": "Event Codes [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { - "vis": { - "defaultColors": { - "0 - 1": "rgb(247,251,255)", - "1 - 2": "rgb(198,219,239)", - "2 - 3": "rgb(107,174,214)", - "3 - 4": "rgb(33,113,181)" - }, - "legendOpen": false - } - }, - "gridData": { - "h": 21, - "i": "35", - "w": 26, - "x": 0, - "y": 22 + "title": "Group Creation Summary [Winlogbeat Security]" }, - "panelIndex": "35", - "panelRefName": "panel_3", - "title": "Actions performed over Groups [Winlogbeat Security]", - "version": "7.3.1" - }, - { - "embeddableConfig": {}, "gridData": { "h": 13, "i": "36", "w": 9, "x": 0, - "y": 52 + "y": 59 }, "panelIndex": "36", - "panelRefName": "panel_4", + "panelRefName": "panel_1", "title": "Group Creation Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Group Changes Summary [Winlogbeat Security]" + }, "gridData": { "h": 13, "i": "37", "w": 9, "x": 9, - "y": 52 + "y": 59 }, "panelIndex": "37", - "panelRefName": "panel_5", + "panelRefName": "panel_2", "title": "Group Changes Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Group Deletion Summary [Winlogbeat Security]" + }, "gridData": { "h": 13, "i": "38", "w": 9, "x": 18, - "y": 52 + "y": 59 }, "panelIndex": "38", - "panelRefName": "panel_6", + "panelRefName": "panel_3", "title": "Group Deletion Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Users Added to Group Summary [Winlogbeat Security]" + }, "gridData": { "h": 14, "i": "39", "w": 16, "x": 0, - "y": 72 + "y": 81 }, "panelIndex": "39", - "panelRefName": "panel_7", + "panelRefName": "panel_4", "title": "Users Added to Group Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Users Removed From Group Summary [Winlogbeat Security]" + }, "gridData": { "h": 14, "i": "40", "w": 17, "x": 16, - "y": 72 + "y": 81 }, "panelIndex": "40", - "panelRefName": "panel_8", + "panelRefName": "panel_5", "title": "Users Removed From Group Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Group Membership Enumeration Summary [Winlogbeat Security]" + }, "gridData": { "h": 14, "i": "42", "w": 15, "x": 33, - "y": 72 + "y": 81 }, "panelIndex": "42", - "panelRefName": "panel_9", + "panelRefName": "panel_6", "title": "Group Membership Enumeration Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Logon Details [Winlogbeat Security]" + }, "gridData": { "h": 22, "i": "43", "w": 21, "x": 27, - "y": 43 + "y": 50 }, "panelIndex": "43", - "panelRefName": "panel_10", + "panelRefName": "panel_7", "title": "Logon Details [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 7, + "h": 9, "i": "44", "w": 16, "x": 0, - "y": 65 + "y": 72 }, "panelIndex": "44", - "panelRefName": "panel_11", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_8", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 9, "i": "45", "w": 9, "x": 18, - "y": 43 + "y": 50 }, "panelIndex": "45", - "panelRefName": "panel_12", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_9", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 9, "i": "46", "w": 9, "x": 0, - "y": 43 + "y": 50 }, "panelIndex": "46", - "panelRefName": "panel_13", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_10", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 9, "i": "47", "w": 9, "x": 9, - "y": 43 + "y": 50 }, "panelIndex": "47", - "panelRefName": "panel_14", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_11", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 7, + "h": 9, "i": "48", "w": 17, "x": 16, - "y": 65 + "y": 72 }, "panelIndex": "48", - "panelRefName": "panel_15", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_12", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 7, + "h": 9, "i": "49", "w": 15, "x": 33, - "y": 65 + "y": 72 }, "panelIndex": "49", + "panelRefName": "panel_13", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 21, + "i": "51", + "w": 48, + "x": 0, + "y": 95 + }, + "panelIndex": "51", + "panelRefName": "panel_14", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 8, + "i": "45614e1c-b2bb-4243-9a74-a4bdd0124c87", + "w": 31, + "x": 17, + "y": 0 + }, + "panelIndex": "45614e1c-b2bb-4243-9a74-a4bdd0124c87", + "panelRefName": "panel_15", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 21, + "i": "88e75800-8125-4c9e-96b8-5c36f6e91664", + "w": 9, + "x": 21, + "y": 8 + }, + "panelIndex": "88e75800-8125-4c9e-96b8-5c36f6e91664", "panelRefName": "panel_16", - "title": "", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": {}, "gridData": { "h": 21, - "i": "50", - "w": 22, - "x": 26, - "y": 22 + "i": "4b793b8e-72d4-42a2-b377-1c70f0307414", + "w": 18, + "x": 30, + "y": 8 }, - "panelIndex": "50", + "panelIndex": "4b793b8e-72d4-42a2-b377-1c70f0307414", "panelRefName": "panel_17", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "vis": null + }, "gridData": { "h": 21, - "i": "51", - "w": 48, + "i": "82d229f9-44f4-4c4b-baf7-f9673a14c87f", + "w": 26, "x": 0, - "y": 86 + "y": 29 }, - "panelIndex": "51", + "panelIndex": "82d229f9-44f4-4c4b-baf7-f9673a14c87f", "panelRefName": "panel_18", - "version": "7.3.1" + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-group-account": "#1F78C1", + "added-member-to-group": "#0A437C", + "deleted-group-account": "#5195CE", + "modified-group-account": "#0A50A1", + "type-changed-group-account": "#82B5D8", + "user-member-enumerated": "#2F575E" + }, + "vis": { + "colors": { + "added-group-account": "#1F78C1", + "added-member-to-group": "#0A437C", + "deleted-group-account": "#5195CE", + "modified-group-account": "#0A50A1", + "removed-member-from-group": "#82B5D8", + "type-changed-group-account": "#82B5D8", + "user-member-enumerated": "#2F575E" + } + } + }, + "gridData": { + "h": 21, + "i": "f44255b0-d9a8-479f-be3f-829c1f6ed794", + "w": 22, + "x": 26, + "y": 29 + }, + "panelIndex": "f44255b0-d9a8-479f-be3f-829c1f6ed794", + "panelRefName": "panel_19", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-group-account": "#0A50A1", + "added-member-to-group": "#1F78C1", + "deleted-group-account": "#5195CE", + "modified-group-account": "#0A437C", + "user-member-enumerated": "#052B51" + }, + "vis": { + "colors": { + "added-group-account": "#0A50A1", + "added-member-to-group": "#1F78C1", + "deleted-group-account": "#5195CE", + "modified-group-account": "#0A437C", + "user-member-enumerated": "#2F575E" + } + } + }, + "gridData": { + "h": 21, + "i": "9c42bff2-b295-4617-8d8c-455bd5948b66", + "w": 21, + "x": 0, + "y": 8 + }, + "panelIndex": "9c42bff2-b295-4617-8d8c-455bd5948b66", + "panelRefName": "panel_20", + "version": "7.7.0" } ], "timeRestore": false, @@ -312,99 +383,109 @@ "type": "visualization" }, { - "id": "b01aaea0-f415-11e9-8405-516218e3d268", + "id": "98884120-f49d-11e9-8405-516218e3d268", "name": "panel_1", "type": "visualization" }, { - "id": "11b5c0e0-f417-11e9-8405-516218e3d268", + "id": "9e534190-f49d-11e9-8405-516218e3d268", "name": "panel_2", "type": "visualization" }, { - "id": "b948eaf0-f49c-11e9-8405-516218e3d268", + "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", "name": "panel_3", "type": "visualization" }, { - "id": "98884120-f49d-11e9-8405-516218e3d268", + "id": "ce867840-f49e-11e9-8405-516218e3d268", "name": "panel_4", "type": "visualization" }, { - "id": "9e534190-f49d-11e9-8405-516218e3d268", + "id": "fee83900-f49f-11e9-8405-516218e3d268", "name": "panel_5", "type": "visualization" }, { - "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", + "id": "bc165210-f4b8-11e9-8405-516218e3d268", "name": "panel_6", "type": "visualization" }, { - "id": "ce867840-f49e-11e9-8405-516218e3d268", + "id": "7e178c80-fee1-11e9-8405-516218e3d268", "name": "panel_7", - "type": "visualization" + "type": "search" }, { - "id": "fee83900-f49f-11e9-8405-516218e3d268", + "id": "a13bf640-fee8-11e9-8405-516218e3d268", "name": "panel_8", "type": "visualization" }, { - "id": "bc165210-f4b8-11e9-8405-516218e3d268", + "id": "5eeaafd0-fee7-11e9-8405-516218e3d268", "name": "panel_9", "type": "visualization" }, { - "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "id": "f42f3b20-fee6-11e9-8405-516218e3d268", "name": "panel_10", - "type": "search" + "type": "visualization" }, { - "id": "a13bf640-fee8-11e9-8405-516218e3d268", + "id": "b5f38780-fee6-11e9-8405-516218e3d268", "name": "panel_11", "type": "visualization" }, { - "id": "5eeaafd0-fee7-11e9-8405-516218e3d268", + "id": "1b5f17d0-feea-11e9-8405-516218e3d268", "name": "panel_12", "type": "visualization" }, { - "id": "f42f3b20-fee6-11e9-8405-516218e3d268", + "id": "0f2f5280-feeb-11e9-8405-516218e3d268", "name": "panel_13", "type": "visualization" }, { - "id": "b5f38780-fee6-11e9-8405-516218e3d268", + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", "name": "panel_14", - "type": "visualization" + "type": "search" }, { - "id": "1b5f17d0-feea-11e9-8405-516218e3d268", + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", "name": "panel_15", "type": "visualization" }, { - "id": "0f2f5280-feeb-11e9-8405-516218e3d268", + "id": "33462600-9b47-11ea-87e4-49f31ec44891", "name": "panel_16", "type": "visualization" }, { - "id": "24954800-fef0-11e9-8405-516218e3d268", + "id": "58fb9480-9b46-11ea-87e4-49f31ec44891", "name": "panel_17", "type": "visualization" }, { - "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "id": "e20c02d0-9b48-11ea-87e4-49f31ec44891", "name": "panel_18", - "type": "search" + "type": "visualization" + }, + { + "id": "7de2e3f0-9b4d-11ea-87e4-49f31ec44891", + "name": "panel_19", + "type": "visualization" + }, + { + "id": "b89b0c90-9b41-11ea-87e4-49f31ec44891", + "name": "panel_20", + "type": "visualization" } ], "type": "dashboard", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI0LDFd" + "updated_at": "2020-06-04T16:26:22.158Z", + "version": "WzIxLDFd" }, { "attributes": { @@ -418,28 +499,28 @@ } } }, - "title": "Group Management Events [Winlogbeat Security]", + "title": "Group Management Events - Description [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { "aggs": [], "params": { "fontSize": 10, - "markdown": "# **Group Management Events**\n\n#### This dashboard shows information about Group Management Events collected by winlogbeat\n#\n#\n#\nEvent | Description|Event | Description\n-- | --|--|--\n|4727|A security-enabled global group was created.|4728|A member was added to a security-enabled global group.| \n|4729|A member was removed from a security-enabled global group.|4730|A security-enabled global group was deleted.| \n|4731|A security-enabled local group was created.|4732|A member was added to a security-enabled local group.|\n|4733|A member was removed from a security-enabled local group.|4734|A security-enabled local group was deleted.|\n|4735|A security-enabled local group was changed.|4737|A security-enabled global group was changed.|\n|4754|A security-enabled universal group was created.| 4755|A security-enabled universal group was changed.| \n|4756|A member was added to a security-enabled universal group.|4757|A member was removed from a security-enabled universal group.| \n|4758|A security-enabled universal group was deleted.| 4764|A group\\'s type was changed.|\n|4799|A security-enabled local group membership was enumerated.|", + "markdown": "# **Group Management Events**\n\n#### This dashboard shows information about Group Management Events collected by winlogbeat\n", "openLinksInNewTab": false }, - "title": "Group Management Events [Winlogbeat Security]", + "title": "Group Management Events - Description [Winlogbeat Security]", "type": "markdown" } }, "id": "6f0f2ea0-f414-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI1LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzMCwxXQ==" }, { "attributes": { @@ -459,25 +540,16 @@ "negate": false, "params": [ "4731", - "4732", - "4733", - "4734", - "4735", - "4764", - "4799", "4727", - "4737", - "4728", - "4729", - "4730", "4754", - "4755", - "4756", - "4757", - "4758" + "4744", + "4759", + "4779", + "4790", + "4783" ], "type": "phrases", - "value": "4731, 4732, 4733, 4734, 4735, 4764, 4799, 4727, 4737, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758" + "value": "4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783" }, "query": { "bool": { @@ -490,82 +562,37 @@ }, { "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4764" + "event.code": "4727" } }, { "match_phrase": { - "event.code": "4799" + "event.code": "4754" } }, { "match_phrase": { - "event.code": "4727" + "event.code": "4744" } }, { "match_phrase": { - "event.code": "4737" + "event.code": "4759" } }, { "match_phrase": { - "event.code": "4728" + "event.code": "4779" } }, { "match_phrase": { - "event.code": "4729" + "event.code": "4790" } }, { "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4758" + "event.code": "4783" } } ] @@ -580,8 +607,17 @@ } } }, - "title": "Group Management Events - Event Actions - Donut [Winlogbeat Security]", - "uiStateJSON": {}, + "title": "Groups Created - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, "version": 1, "visState": { "aggs": [ @@ -596,7 +632,25 @@ "enabled": true, "id": "2", "params": { - "field": "event.action", + "customLabel": "Group", + "field": "group.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Domain", + "field": "group.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -605,13 +659,45 @@ "otherBucketLabel": "Other", "size": 5 }, - "schema": "segment", + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Performer LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", "type": "terms" } ], "params": { - "addLegend": true, - "addTooltip": true, "dimensions": { "buckets": [ { @@ -626,34 +712,76 @@ } }, "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 3, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], - "metric": { - "accessor": 1, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } + "metrics": [ + { + "accessor": 4, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] }, - "isDonut": true, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true + "perPage": 5, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null }, - "legendPosition": "right", - "type": "pie" + "totalFunc": "sum" }, - "title": "Group Management Events - Event Actions - Donut [Winlogbeat Security]", - "type": "pie" + "title": "Groups Created - Table [Winlogbeat Security]", + "type": "table" } }, - "id": "b01aaea0-f415-11e9-8405-516218e3d268", + "id": "98884120-f49d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -668,8 +796,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI2LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzNywxXQ==" }, { "attributes": { @@ -688,71 +816,23 @@ "key": "event.code", "negate": false, "params": [ - "4727", - "4728", - "4729", - "4730", - "4731", - "4732", - "4733", - "4734", "4735", "4737", - "4754", "4755", - "4756", - "4757", - "4758", - "4764", - "4799" + "4750", + "4760", + "4745", + "4791", + "4784", + "4764" ], "type": "phrases", - "value": "4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, 4799" + "value": "4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764" }, "query": { "bool": { "minimum_should_match": 1, "should": [ - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, { "match_phrase": { "event.code": "4735" @@ -765,37 +845,37 @@ }, { "match_phrase": { - "event.code": "4754" + "event.code": "4755" } }, { "match_phrase": { - "event.code": "4755" + "event.code": "4750" } }, { "match_phrase": { - "event.code": "4756" + "event.code": "4760" } }, { "match_phrase": { - "event.code": "4757" + "event.code": "4745" } }, { "match_phrase": { - "event.code": "4758" + "event.code": "4791" } }, { "match_phrase": { - "event.code": "4764" + "event.code": "4784" } }, { "match_phrase": { - "event.code": "4799" + "event.code": "4764" } } ] @@ -810,7 +890,7 @@ } } }, - "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", + "title": "Group Changes - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -835,8 +915,8 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Event Action", - "field": "event.action", + "customLabel": "Group", + "field": "group.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -852,38 +932,98 @@ "enabled": true, "id": "3", "params": { - "customLabel": "Event Code", - "field": "event.code", + "customLabel": "Domain", + "field": "group.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 10 + "size": 5 }, "schema": "bucket", "type": "terms" - } - ], - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Performer LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 3, "aggType": "terms", "format": { "id": "terms", @@ -898,7 +1038,7 @@ ], "metrics": [ { - "accessor": 2, + "accessor": 4, "aggType": "count", "format": { "id": "number" @@ -907,7 +1047,8 @@ } ] }, - "perPage": 10, + "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -917,13 +1058,13 @@ }, "totalFunc": "sum" }, - "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", + "title": "Group Changes - Table [Winlogbeat Security]", "type": "table" } }, - "id": "11b5c0e0-f417-11e9-8405-516218e3d268", + "id": "9e534190-f49d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -938,8 +1079,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI3LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzOCwxXQ==" }, { "attributes": { @@ -958,66 +1099,22 @@ "key": "event.code", "negate": false, "params": [ - "4727", - "4728", - "4729", - "4730", - "4731", - "4732", - "4733", "4734", - "4735", - "4737", - "4754", - "4755", - "4756", - "4757", + "4730", "4758", - "4764", - "4799" + "4748", + "4763", + "4753", + "4792", + "4789" ], "type": "phrases", - "value": "4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, 4799" + "value": "4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789" }, "query": { "bool": { "minimum_should_match": 1, "should": [ - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, { "match_phrase": { "event.code": "4734" @@ -1025,47 +1122,37 @@ }, { "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4754" + "event.code": "4730" } }, { "match_phrase": { - "event.code": "4755" + "event.code": "4758" } }, { "match_phrase": { - "event.code": "4756" + "event.code": "4748" } }, { "match_phrase": { - "event.code": "4757" + "event.code": "4763" } }, { "match_phrase": { - "event.code": "4758" + "event.code": "4753" } }, { "match_phrase": { - "event.code": "4764" + "event.code": "4792" } }, { "match_phrase": { - "event.code": "4799" + "event.code": "4789" } } ] @@ -1080,14 +1167,14 @@ } } }, - "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", + "title": "Groups Deleted - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { - "defaultColors": { - "0 - 1": "rgb(247,251,255)", - "1 - 2": "rgb(198,219,239)", - "2 - 3": "rgb(107,174,214)", - "3 - 4": "rgb(33,113,181)" + "params": { + "sort": { + "columnIndex": null, + "direction": null + } } } }, @@ -1113,16 +1200,17 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 15 + "size": 20 }, - "schema": "segment", + "schema": "bucket", "type": "terms" }, { "enabled": true, "id": "3", "params": { - "field": "event.action", + "customLabel": "Domain", + "field": "group.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -1131,18 +1219,60 @@ "otherBucketLabel": "Other", "size": 5 }, - "schema": "group", + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Performer LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", "type": "terms" } ], "params": { - "addLegend": true, - "addTooltip": true, - "colorSchema": "Blues", - "colorsNumber": 4, - "colorsRange": [], "dimensions": { - "series": [ + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, { "accessor": 1, "aggType": "terms", @@ -1155,64 +1285,63 @@ } }, "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } }, - "params": {} - }, - "y": [ { "accessor": 2, - "aggType": "count", + "aggType": "terms", "format": { - "id": "number" + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 3, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } }, "params": {} } - ] - }, - "enableHover": false, - "invertColors": false, - "legendPosition": "right", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": true - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] + ], + "metrics": [ + { + "accessor": 4, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 5, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" }, - "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", - "type": "heatmap" + "title": "Groups Deleted - Table [Winlogbeat Security]", + "type": "table" } }, - "id": "b948eaf0-f49c-11e9-8405-516218e3d268", + "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1227,8 +1356,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI4LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzOSwxXQ==" }, { "attributes": { @@ -1247,12 +1376,17 @@ "key": "event.code", "negate": false, "params": [ - "4731", - "4727", - "4754" + "4732", + "4728", + "4756", + "4751", + "4761", + "4746", + "4785", + "4787" ], "type": "phrases", - "value": "4731, 4727, 4754" + "value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787" }, "query": { "bool": { @@ -1260,17 +1394,42 @@ "should": [ { "match_phrase": { - "event.code": "4731" + "event.code": "4732" } }, { "match_phrase": { - "event.code": "4727" + "event.code": "4728" } }, { "match_phrase": { - "event.code": "4754" + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4785" + } + }, + { + "match_phrase": { + "event.code": "4787" } } ] @@ -1285,7 +1444,7 @@ } } }, - "title": "Groups Created - Table [Winlogbeat Security]", + "title": "Users Added - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1309,6 +1468,23 @@ { "enabled": true, "id": "2", + "params": { + "customLabel": "User", + "field": "winlog.event_data.MemberName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", "params": { "customLabel": "Group", "field": "group.name", @@ -1318,14 +1494,14 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 20 + "size": 10 }, "schema": "bucket", "type": "terms" }, { "enabled": true, - "id": "3", + "id": "4", "params": { "customLabel": "Domain", "field": "group.domain", @@ -1342,10 +1518,10 @@ }, { "enabled": true, - "id": "4", + "id": "5", "params": { "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", + "field": "user.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -1359,9 +1535,9 @@ }, { "enabled": true, - "id": "5", + "id": "6", "params": { - "customLabel": "Performer LogonID", + "customLabel": "Performed by Logon ID", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1429,11 +1605,24 @@ } }, "params": {} + }, + { + "accessor": 4, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], "metrics": [ { - "accessor": 4, + "accessor": 5, "aggType": "count", "format": { "id": "number" @@ -1443,6 +1632,7 @@ ] }, "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -1452,13 +1642,13 @@ }, "totalFunc": "sum" }, - "title": "Groups Created - Table [Winlogbeat Security]", + "title": "Users Added - Table [Winlogbeat Security]", "type": "table" } }, - "id": "98884120-f49d-11e9-8405-516218e3d268", + "id": "ce867840-f49e-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1473,8 +1663,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI5LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MCwxXQ==" }, { "attributes": { @@ -1493,12 +1683,17 @@ "key": "event.code", "negate": false, "params": [ - "4735", - "4737", - "4755" + "4733", + "4729", + "4757", + "4786", + "4788", + "4752", + "4762", + "4747" ], "type": "phrases", - "value": "4735, 4737, 4755" + "value": "4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747" }, "query": { "bool": { @@ -1506,17 +1701,42 @@ "should": [ { "match_phrase": { - "event.code": "4735" + "event.code": "4733" } }, { "match_phrase": { - "event.code": "4737" + "event.code": "4729" } }, { "match_phrase": { - "event.code": "4755" + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4786" + } + }, + { + "match_phrase": { + "event.code": "4788" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4747" } } ] @@ -1531,7 +1751,7 @@ } } }, - "title": "Group Changes - Table [Winlogbeat Security]", + "title": "Users Removed from Group - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1555,6 +1775,23 @@ { "enabled": true, "id": "2", + "params": { + "customLabel": "User", + "field": "winlog.event_data.MemberName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", "params": { "customLabel": "Group", "field": "group.name", @@ -1564,14 +1801,14 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 20 + "size": 10 }, "schema": "bucket", "type": "terms" }, { "enabled": true, - "id": "3", + "id": "4", "params": { "customLabel": "Domain", "field": "group.domain", @@ -1588,7 +1825,7 @@ }, { "enabled": true, - "id": "4", + "id": "5", "params": { "customLabel": "Performed by", "field": "winlog.event_data.SubjectUserName", @@ -1605,9 +1842,9 @@ }, { "enabled": true, - "id": "5", + "id": "6", "params": { - "customLabel": "Performer LogonID", + "customLabel": "Performed by Logon ID", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1675,11 +1912,24 @@ } }, "params": {} + }, + { + "accessor": 4, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], "metrics": [ { - "accessor": 4, + "accessor": 5, "aggType": "count", "format": { "id": "number" @@ -1689,6 +1939,7 @@ ] }, "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -1698,13 +1949,13 @@ }, "totalFunc": "sum" }, - "title": "Group Changes - Table [Winlogbeat Security]", + "title": "Users Removed from Group - Table [Winlogbeat Security]", "type": "table" } }, - "id": "9e534190-f49d-11e9-8405-516218e3d268", + "id": "fee83900-f49f-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1719,8 +1970,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMwLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MSwxXQ==" }, { "attributes": { @@ -1739,12 +1990,10 @@ "key": "event.code", "negate": false, "params": [ - "4734", - "4730", - "4758" + "4799" ], "type": "phrases", - "value": "4734, 4730, 4758" + "value": "4799" }, "query": { "bool": { @@ -1752,17 +2001,7 @@ "should": [ { "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4758" + "event.code": "4799" } } ] @@ -1777,7 +2016,7 @@ } } }, - "title": "Groups Deleted - Table [Winlogbeat Security]", + "title": "Group Enumeration - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1836,7 +2075,7 @@ "enabled": true, "id": "4", "params": { - "customLabel": "Performed by", + "customLabel": "Creator", "field": "winlog.event_data.SubjectUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1853,7 +2092,7 @@ "enabled": true, "id": "5", "params": { - "customLabel": "Performer LogonID", + "customLabel": "Creator LogonID", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1944,13 +2183,13 @@ }, "totalFunc": "sum" }, - "title": "Groups Deleted - Table [Winlogbeat Security]", + "title": "Group Enumeration - Table [Winlogbeat Security]", "type": "table" } }, - "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", + "id": "bc165210-f4b8-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1965,12 +2204,20 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMxLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MiwxXQ==" }, { "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], "description": "", + "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -1985,12 +2232,10 @@ "key": "event.code", "negate": false, "params": [ - "4732", - "4728", - "4756" + "4624" ], "type": "phrases", - "value": "4732, 4728, 4756" + "value": "4624" }, "query": { "bool": { @@ -1998,17 +2243,7 @@ "should": [ { "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4756" + "event.code": "4624" } } ] @@ -2016,217 +2251,27 @@ } } ], + "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" - } - } - }, - "title": "Users Added - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } + }, + "version": true } }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "User", - "field": "winlog.event_data.MemberName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "6", - "params": { - "customLabel": "Performed by Logon ID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 4, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 5, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "title": "Users Added - Table [Winlogbeat Security]", - "type": "table" - } + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Winlogbeat Security]", + "version": 1 }, - "id": "ce867840-f49e-11e9-8405-516218e3d268", + "id": "7e178c80-fee1-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "search": "7.4.0" }, "references": [ { @@ -2240,9 +2285,9 @@ "type": "index-pattern" } ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMyLDFd" + "type": "search", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MywxXQ==" }, { "attributes": { @@ -2261,12 +2306,17 @@ "key": "event.code", "negate": false, "params": [ - "4733", - "4729", - "4757" + "4732", + "4728", + "4756", + "4751", + "4761", + "4746", + "4785", + "4787" ], "type": "phrases", - "value": "4733, 4729, 4757" + "value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787" }, "query": { "bool": { @@ -2274,17 +2324,42 @@ "should": [ { "match_phrase": { - "event.code": "4733" + "event.code": "4732" } }, { "match_phrase": { - "event.code": "4729" + "event.code": "4728" } }, { "match_phrase": { - "event.code": "4757" + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4785" + } + }, + { + "match_phrase": { + "event.code": "4787" } } ] @@ -2294,215 +2369,94 @@ ], "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { - "language": "kuery", + "language": "lucene", "query": "" } } }, - "title": "Users Removed from Group - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, + "title": "Users Added - Simple Metric [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "User", - "field": "winlog.event_data.MemberName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "6", "params": { - "customLabel": "Performed by Logon ID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 + "customLabel": "Users Added to Groups" }, - "schema": "bucket", - "type": "terms" + "schema": "metric", + "type": "count" } ], "params": { + "addLegend": false, + "addTooltip": true, "dimensions": { - "buckets": [ + "metrics": [ { "accessor": 0, - "aggType": "terms", "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } + "id": "number", + "params": {} }, - "params": {} + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Reds", + "colorsRange": [ + { + "from": 0, + "to": 1, + "type": "range" }, { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "from": 1, + "to": 5 }, { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "from": 5, + "to": 10 }, { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "from": 10, + "to": 15 }, { - "accessor": 4, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ + "from": 15, + "to": 20 + }, { - "accessor": 5, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} + "from": 20, + "to": 9999 } - ] - }, - "perPage": 5, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "Labels", + "percentageMode": false, + "style": { + "bgColor": true, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false }, - "totalFunc": "sum" + "type": "metric" }, - "title": "Users Removed from Group - Table [Winlogbeat Security]", - "type": "table" + "title": "Users Added - Simple Metric [Winlogbeat Security]", + "type": "metric" } }, - "id": "fee83900-f49f-11e9-8405-516218e3d268", + "id": "a13bf640-fee8-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2517,8 +2471,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMzLDFd" + "updated_at": "2020-06-04T16:26:22.158Z", + "version": "WzMwLDFd" }, { "attributes": { @@ -2537,10 +2491,17 @@ "key": "event.code", "negate": false, "params": [ - "4799" + "4734", + "4730", + "4758", + "4748", + "4763", + "4753", + "4792", + "4789" ], "type": "phrases", - "value": "4799" + "value": "4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789" }, "query": { "bool": { @@ -2548,7 +2509,42 @@ "should": [ { "match_phrase": { - "event.code": "4799" + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4792" + } + }, + { + "match_phrase": { + "event.code": "4789" } } ] @@ -2558,185 +2554,94 @@ ], "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { - "language": "kuery", + "language": "lucene", "query": "" } } }, - "title": "Group Enumeration [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, + "title": "Groups Deleted- Simple Metric [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Creator", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", "params": { - "customLabel": "Creator LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 + "customLabel": "Groups Deleted" }, - "schema": "bucket", - "type": "terms" + "schema": "metric", + "type": "count" } ], "params": { + "addLegend": false, + "addTooltip": true, "dimensions": { - "buckets": [ + "metrics": [ { "accessor": 0, - "aggType": "terms", "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } + "id": "number", + "params": {} }, - "params": {} + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Greens", + "colorsRange": [ + { + "from": 0, + "to": 1, + "type": "range" }, { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "from": 1, + "to": 5 }, { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "from": 5, + "to": 10 }, { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ + "from": 10, + "to": 15 + }, { - "accessor": 4, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} + "from": 15, + "to": 20 + }, + { + "from": 20, + "to": 10000 } - ] - }, - "perPage": 5, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "Labels", + "percentageMode": false, + "style": { + "bgColor": true, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false }, - "totalFunc": "sum" + "type": "metric" }, - "title": "Group Enumeration [Winlogbeat Security]", - "type": "table" + "title": "Groups Deleted- Simple Metric [Winlogbeat Security]", + "type": "metric" } }, - "id": "bc165210-f4b8-11e9-8405-516218e3d268", + "id": "5eeaafd0-fee7-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2751,20 +2656,12 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzM0LDFd" + "updated_at": "2020-06-04T16:26:22.158Z", + "version": "WzMxLDFd" }, { "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -2779,10 +2676,17 @@ "key": "event.code", "negate": false, "params": [ - "4624" + "4731", + "4727", + "4754", + "4744", + "4759", + "4779", + "4790", + "4783" ], "type": "phrases", - "value": "4624" + "value": "4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783" }, "query": { "bool": { @@ -2790,7 +2694,42 @@ "should": [ { "match_phrase": { - "event.code": "4624" + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4779" + } + }, + { + "match_phrase": { + "event.code": "4790" + } + }, + { + "match_phrase": { + "event.code": "4783" } } ] @@ -2798,100 +2737,14 @@ } } ], - "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { - "language": "kuery", + "language": "lucene", "query": "" - }, - "version": true + } } }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Winlogbeat Security]", - "version": 1 - }, - "id": "7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkyLDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4732", - "4728", - "4756" - ], - "type": "phrases", - "value": "4732, 4728, 4756" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - } - } - }, - "title": "Users Added - Simple Metric [Winlogbeat Security]", + "title": "Groups Created - Simple Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -2900,7 +2753,7 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Users Added to Groups" + "customLabel": "Groups Created" }, "schema": "metric", "type": "count" @@ -2926,15 +2779,27 @@ "colorsRange": [ { "from": 0, - "to": 10000, + "to": 1, "type": "range" + }, + { + "from": 1, + "to": 10 + }, + { + "from": 10, + "to": 20 + }, + { + "from": 20, + "to": 9999 } ], "invertColors": false, "labels": { "show": true }, - "metricColorMode": "Background", + "metricColorMode": "Labels", "percentageMode": false, "style": { "bgColor": true, @@ -2947,13 +2812,13 @@ }, "type": "metric" }, - "title": "Users Added - Simple Metric [Winlogbeat Security]", + "title": "Groups Created - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "a13bf640-fee8-11e9-8405-516218e3d268", + "id": "f42f3b20-fee6-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2968,8 +2833,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzM2LDFd" + "updated_at": "2020-06-04T16:26:22.158Z", + "version": "WzMyLDFd" }, { "attributes": { @@ -2988,12 +2853,18 @@ "key": "event.code", "negate": false, "params": [ - "4734", - "4730", - "4758" + "4735", + "4737", + "4755", + "4750", + "4760", + "4745", + "4791", + "4784", + "4764" ], "type": "phrases", - "value": "4734, 4730, 4758" + "value": "4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764" }, "query": { "bool": { @@ -3001,17 +2872,47 @@ "should": [ { "match_phrase": { - "event.code": "4734" + "event.code": "4735" } }, { "match_phrase": { - "event.code": "4730" + "event.code": "4737" } }, { "match_phrase": { - "event.code": "4758" + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4791" + } + }, + { + "match_phrase": { + "event.code": "4784" + } + }, + { + "match_phrase": { + "event.code": "4764" } } ] @@ -3026,7 +2927,7 @@ } } }, - "title": "Groups Deleted- Simple Metric [Winlogbeat Security]", + "title": "Groups Changes - Simple Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3035,7 +2936,7 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Groups Deleted" + "customLabel": "Groups Changed" }, "schema": "metric", "type": "count" @@ -3057,19 +2958,39 @@ ] }, "metric": { - "colorSchema": "Greens", + "colorSchema": "Yellow to Red", "colorsRange": [ { "from": 0, - "to": 10000, + "to": 1, "type": "range" + }, + { + "from": 1, + "to": 5 + }, + { + "from": 5, + "to": 10 + }, + { + "from": 10, + "to": 15 + }, + { + "from": 15, + "to": 20 + }, + { + "from": 20, + "to": 100000 } ], "invertColors": false, "labels": { "show": true }, - "metricColorMode": "Background", + "metricColorMode": "Labels", "percentageMode": false, "style": { "bgColor": true, @@ -3082,13 +3003,13 @@ }, "type": "metric" }, - "title": "Groups Deleted- Simple Metric [Winlogbeat Security]", + "title": "Groups Changes - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "5eeaafd0-fee7-11e9-8405-516218e3d268", + "id": "b5f38780-fee6-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -3103,8 +3024,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzM3LDFd" + "updated_at": "2020-06-04T16:26:22.158Z", + "version": "WzMzLDFd" }, { "attributes": { @@ -3123,12 +3044,17 @@ "key": "event.code", "negate": false, "params": [ - "4731", - "4727", - "4754" + "4733", + "4729", + "4757", + "4786", + "4788", + "4752", + "4762", + "4747" ], "type": "phrases", - "value": "4731, 4727, 4754" + "value": "4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747" }, "query": { "bool": { @@ -3136,17 +3062,42 @@ "should": [ { "match_phrase": { - "event.code": "4731" + "event.code": "4733" } }, { "match_phrase": { - "event.code": "4727" + "event.code": "4729" } }, { "match_phrase": { - "event.code": "4754" + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4786" + } + }, + { + "match_phrase": { + "event.code": "4788" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4747" } } ] @@ -3161,7 +3112,7 @@ } } }, - "title": "Groups Created - Simple Metric [Winlogbeat Security]", + "title": "Users Removed from Group - Simple Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3170,7 +3121,7 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Groups Created" + "customLabel": "Users Removed from Groups" }, "schema": "metric", "type": "count" @@ -3192,19 +3143,39 @@ ] }, "metric": { - "colorSchema": "Reds", + "colorSchema": "Greens", "colorsRange": [ { "from": 0, - "to": 10000, + "to": 1, "type": "range" + }, + { + "from": 1, + "to": 5 + }, + { + "from": 5, + "to": 9 + }, + { + "from": 9, + "to": 13 + }, + { + "from": 13, + "to": 17 + }, + { + "from": 17, + "to": 20000 } ], "invertColors": false, "labels": { "show": true }, - "metricColorMode": "Background", + "metricColorMode": "Labels", "percentageMode": false, "style": { "bgColor": true, @@ -3217,13 +3188,13 @@ }, "type": "metric" }, - "title": "Groups Created - Simple Metric [Winlogbeat Security]", + "title": "Users Removed from Group - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "f42f3b20-fee6-11e9-8405-516218e3d268", + "id": "1b5f17d0-feea-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -3238,8 +3209,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzM4LDFd" + "updated_at": "2020-06-04T16:26:22.158Z", + "version": "WzM0LDFd" }, { "attributes": { @@ -3257,40 +3228,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4735", - "4737", - "4755", - "4764" - ], - "type": "phrases", - "value": "4735, 4737, 4755, 4764" + "params": { + "query": "4799" + }, + "type": "phrase", + "value": "4799" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - } - ] + "match": { + "event.code": { + "query": "4799", + "type": "phrase" + } } } } @@ -3302,7 +3251,7 @@ } } }, - "title": "Groups Changes - Simple Metric [Winlogbeat Security]", + "title": "Group Membership Enumeration - Simple Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3311,7 +3260,7 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Groups Changed" + "customLabel": "Group Membership Enumerated" }, "schema": "metric", "type": "count" @@ -3333,19 +3282,31 @@ ] }, "metric": { - "colorSchema": "Greys", + "colorSchema": "Blues", "colorsRange": [ { "from": 0, - "to": 10000, + "to": 500, "type": "range" + }, + { + "from": 500, + "to": 20000 + }, + { + "from": 20000, + "to": 30000 + }, + { + "from": 30000, + "to": 40000 } ], - "invertColors": false, + "invertColors": true, "labels": { "show": true }, - "metricColorMode": "Background", + "metricColorMode": "Labels", "percentageMode": false, "style": { "bgColor": true, @@ -3358,13 +3319,13 @@ }, "type": "metric" }, - "title": "Groups Changes - Simple Metric [Winlogbeat Security]", + "title": "Group Membership Enumeration - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "b5f38780-fee6-11e9-8405-516218e3d268", + "id": "0f2f5280-feeb-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -3379,12 +3340,21 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzM5LDFd" + "updated_at": "2020-06-04T16:26:22.158Z", + "version": "WzM1LDFd" }, { "attributes": { + "columns": [ + "event.action", + "group.name", + "group.domain", + "user.name", + "user.domain", + "host.name" + ], "description": "", + "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -3399,268 +3369,13 @@ "key": "event.code", "negate": false, "params": [ + "4731", + "4732", "4733", - "4727", - "4729" - ], - "type": "phrases", - "value": "4733, 4727, 4729" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - } - } - }, - "title": "Users Removed from Group - Simple Metric [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Removed from Groups" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Greens", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "Background", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "Users Removed from Group - Simple Metric [Winlogbeat Security]", - "type": "metric" - } - }, - "id": "1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzQwLDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4799" - }, - "type": "phrase", - "value": "4799" - }, - "query": { - "match": { - "event.code": { - "query": "4799", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - } - } - }, - "title": "Group Membership Enumeration - Simple Metric [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Group Membership Enumerated" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Blues", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": true, - "labels": { - "show": true - }, - "metricColorMode": "Background", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "Group Membership Enumeration - Simple Metric [Winlogbeat Security]", - "type": "metric" - } - }, - "id": "0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzQxLDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4732", - "4733", - "4734", - "4735", - "4737", - "4764", - "4799", + "4734", + "4735", + "4737", + "4764", "4727", "4728", "4729", @@ -3669,10 +3384,25 @@ "4755", "4756", "4757", - "4758" + "4758", + "4799", + "4749", + "4750", + "4751", + "4752", + "4753", + "4759", + "4760", + "4761", + "4762", + "4763", + "4744", + "4745", + "4746", + "4748" ], "type": "phrases", - "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4799, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758" + "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" }, "query": { "bool": { @@ -3713,11 +3443,6 @@ "event.code": "4764" } }, - { - "match_phrase": { - "event.code": "4799" - } - }, { "match_phrase": { "event.code": "4727" @@ -3762,352 +3487,80 @@ "match_phrase": { "event.code": "4758" } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - } - } - }, - "title": "Group Management Action Distribution over Time [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "timeRange": { - "from": "now-30d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "YYYY-MM-DD HH:mm" - } - }, - "params": { - "bounds": { - "max": "2019-11-04T10:56:42.142Z", - "min": "2019-10-05T09:56:42.142Z" - }, - "date": true, - "format": "YYYY-MM-DD HH:mm", - "interval": "PT12H" - } - }, - "y": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "grid": { - "categoryLines": false - }, - "labels": { - "show": true - }, - "legendPosition": "bottom", - "seriesParams": [ - { - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "mode": "stacked", - "show": "true", - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "Group Management Action Distribution over Time [Winlogbeat Security]", - "type": "histogram" - } - }, - "id": "24954800-fef0-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzQyLDFd" - }, - { - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "winlog.event_data.SubjectUserName", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4732", - "4733", - "4734", - "4735", - "4737", - "4764", - "4799", - "4727", - "4728", - "4729", - "4730", - "4754", - "4755", - "4756", - "4757", - "4758" - ], - "type": "phrases", - "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4799, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } }, { "match_phrase": { - "event.code": "4733" + "event.code": "4799" } }, { "match_phrase": { - "event.code": "4734" + "event.code": "4749" } }, { "match_phrase": { - "event.code": "4735" + "event.code": "4750" } }, { "match_phrase": { - "event.code": "4737" + "event.code": "4751" } }, { "match_phrase": { - "event.code": "4764" + "event.code": "4752" } }, { "match_phrase": { - "event.code": "4799" + "event.code": "4753" } }, { "match_phrase": { - "event.code": "4727" + "event.code": "4759" } }, { "match_phrase": { - "event.code": "4728" + "event.code": "4760" } }, { "match_phrase": { - "event.code": "4729" + "event.code": "4761" } }, { "match_phrase": { - "event.code": "4730" + "event.code": "4762" } }, { "match_phrase": { - "event.code": "4754" + "event.code": "4763" } }, { "match_phrase": { - "event.code": "4755" + "event.code": "4744" } }, { "match_phrase": { - "event.code": "4756" + "event.code": "4745" } }, { "match_phrase": { - "event.code": "4757" + "event.code": "4746" } }, { "match_phrase": { - "event.code": "4758" + "event.code": "4748" } } ] @@ -4150,9 +3603,554 @@ } ], "type": "search", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzQzLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboard links - Simple [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat General ECS Dashboard](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/01c54730-fee6-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links - Simple [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "event.action", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "event.code", + "field": "event.code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "33462600-9b47-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Target Groups - Tag Cloud [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "group.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 58, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Group Management Events - Target Groups - Tag Cloud [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "58fb9480-9b46-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Target Groups", + "field": "group.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Actions", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "colorSchema": "Blues", + "colorsNumber": 4, + "colorsRange": [], + "enableHover": false, + "invertColors": false, + "legendPosition": "right", + "percentageMode": false, + "setColorRange": false, + "times": [], + "type": "heatmap", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "black", + "overwriteColor": false, + "rotate": 0, + "show": true + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", + "type": "heatmap" + } + }, + "id": "e20c02d0-9b48-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Action Distribution over Time [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-30d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "valueAxis": "" + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Group Management Action Distribution over Time [Winlogbeat Security]", + "type": "histogram" + } + }, + "id": "7de2e3f0-9b4d-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0OSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Event Actions [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Group Management Events - Event Actions [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "b89b0c90-9b41-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NSwxXQ==" } ], - "version": "7.5.2" + "version": "7.7.0" } diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/bb858830-f412-11e9-8405-516218e3d268.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-group-management.json similarity index 77% rename from x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/bb858830-f412-11e9-8405-516218e3d268.json rename to x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-group-management.json index 406b2526598..baccc13ab72 100644 --- a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/bb858830-f412-11e9-8405-516218e3d268.json +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-group-management.json @@ -2,7 +2,7 @@ "objects": [ { "attributes": { - "description": "Includes Visual Builder Metric\nInterval size 90 days", + "description": "Group management activity.", "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -15,287 +15,363 @@ }, "optionsJSON": { "hidePanelTitles": false, - "useMargins": true + "useMargins": false }, "panelsJSON": [ { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 20, + "h": 7, "i": "22", - "w": 17, + "w": 16, "x": 0, "y": 0 }, "panelIndex": "22", "panelRefName": "panel_0", - "title": "", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 20, - "i": "23", - "w": 21, - "x": 17, - "y": 0 - }, - "panelIndex": "23", - "panelRefName": "panel_1", - "title": "Group Managment Actions [Winlogbeat Security]", - "version": "7.3.1" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 20, - "i": "25", - "w": 10, - "x": 38, - "y": 0 + "title": "" }, - "panelIndex": "25", - "panelRefName": "panel_2", - "title": "Event Codes [Winlogbeat Security]", - "version": "7.3.1" - }, - { - "embeddableConfig": {}, "gridData": { "h": 7, "i": "29", "w": 16, "x": 0, - "y": 61 + "y": 68 }, "panelIndex": "29", - "panelRefName": "panel_3", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_1", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "30", "w": 9, "x": 18, - "y": 41 + "y": 48 }, "panelIndex": "30", - "panelRefName": "panel_4", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_2", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "31", "w": 9, "x": 0, - "y": 41 + "y": 48 }, "panelIndex": "31", - "panelRefName": "panel_5", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_3", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "32", "w": 9, "x": 9, - "y": 41 + "y": 48 }, "panelIndex": "32", - "panelRefName": "panel_6", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_4", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "33", "w": 17, "x": 16, - "y": 61 + "y": 68 }, "panelIndex": "33", - "panelRefName": "panel_7", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_5", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "34", "w": 15, "x": 33, - "y": 61 + "y": 68 }, "panelIndex": "34", - "panelRefName": "panel_8", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_6", + "version": "7.7.0" }, { "embeddableConfig": { - "vis": { - "defaultColors": { - "0 - 1": "rgb(247,251,255)", - "1 - 2": "rgb(198,219,239)", - "2 - 3": "rgb(107,174,214)", - "3 - 4": "rgb(33,113,181)" - }, - "legendOpen": false - } - }, - "gridData": { - "h": 21, - "i": "35", - "w": 27, - "x": 0, - "y": 20 + "title": "Group Creation Summary [Winlogbeat Security]" }, - "panelIndex": "35", - "panelRefName": "panel_9", - "title": "Actions performed over Groups [Winlogbeat Security]", - "version": "7.3.1" - }, - { - "embeddableConfig": {}, "gridData": { "h": 13, "i": "36", "w": 9, "x": 0, - "y": 48 + "y": 55 }, "panelIndex": "36", - "panelRefName": "panel_10", + "panelRefName": "panel_7", "title": "Group Creation Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Group Changes Summary [Winlogbeat Security]" + }, "gridData": { "h": 13, "i": "37", "w": 9, "x": 9, - "y": 48 + "y": 55 }, "panelIndex": "37", - "panelRefName": "panel_11", + "panelRefName": "panel_8", "title": "Group Changes Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Group Deletion Summary [Winlogbeat Security]" + }, "gridData": { "h": 13, "i": "38", "w": 9, "x": 18, - "y": 48 + "y": 55 }, "panelIndex": "38", - "panelRefName": "panel_12", + "panelRefName": "panel_9", "title": "Group Deletion Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Users Added to Group Summary [Winlogbeat Security]" + }, "gridData": { "h": 14, "i": "39", "w": 16, "x": 0, - "y": 68 + "y": 75 }, "panelIndex": "39", - "panelRefName": "panel_13", + "panelRefName": "panel_10", "title": "Users Added to Group Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Users Removed From Group Summary [Winlogbeat Security]" + }, "gridData": { "h": 14, "i": "40", "w": 17, "x": 16, - "y": 68 + "y": 75 }, "panelIndex": "40", - "panelRefName": "panel_14", + "panelRefName": "panel_11", "title": "Users Removed From Group Summary [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Group Enumeration - Table [Winlogbeat Security]" + }, "gridData": { "h": 14, "i": "42", "w": 15, "x": 33, - "y": 68 + "y": 75 }, "panelIndex": "42", - "panelRefName": "panel_15", + "panelRefName": "panel_12", "title": "Group Enumeration - Table [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Logon Details [Winlogbeat Security]" + }, "gridData": { "h": 20, "i": "43", "w": 21, "x": 27, - "y": 41 + "y": 48 }, "panelIndex": "43", - "panelRefName": "panel_16", + "panelRefName": "panel_13", "title": "Logon Details [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Group Management Operations Details [Winlogbeat Security]" + }, + "gridData": { + "h": 22, + "i": "45", + "w": 48, + "x": 0, + "y": 89 + }, + "panelIndex": "45", + "panelRefName": "panel_14", + "title": "Group Management Operations Details [Winlogbeat Security]", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-group-account": "#0A437C", + "added-member-to-group": "#1F78C1", + "deleted-group-account": "#5195CE", + "modified-group-account": "#052B51", + "user-member-enumerated": "#447EBC" + }, + "vis": { + "colors": { + "added-group-account": "#0A437C", + "added-member-to-group": "#1F78C1", + "deleted-group-account": "#82B5D8", + "modified-group-account": "#052B51", + "user-member-enumerated": "#447EBC" + } + } + }, + "gridData": { + "h": 20, + "i": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", + "w": 20, + "x": 0, + "y": 7 + }, + "panelIndex": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", + "panelRefName": "panel_15", + "version": "7.7.0" }, { "embeddableConfig": {}, "gridData": { - "h": 21, - "i": "44", - "w": 21, - "x": 27, - "y": 20 + "h": 20, + "i": "8cda9d6a-096f-41a5-86e6-09dd1f6b9c98", + "w": 16, + "x": 32, + "y": 7 + }, + "panelIndex": "8cda9d6a-096f-41a5-86e6-09dd1f6b9c98", + "panelRefName": "panel_16", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]" + }, + "gridData": { + "h": 20, + "i": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", + "w": 12, + "x": 20, + "y": 7 }, - "panelIndex": "44", + "panelIndex": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", "panelRefName": "panel_17", - "version": "7.3.1" + "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "vis": null + }, "gridData": { - "h": 22, - "i": "45", - "w": 48, + "h": 21, + "i": "33cef054-615a-49cb-bb2e-eb55fab96ae5", + "w": 27, "x": 0, - "y": 82 + "y": 27 }, - "panelIndex": "45", + "panelIndex": "33cef054-615a-49cb-bb2e-eb55fab96ae5", "panelRefName": "panel_18", - "title": "Group Management Operations Details [Winlogbeat Security]", - "version": "7.3.1" + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-group-account": "#1F78C1", + "added-member-to-group": "#0A437C", + "deleted-group-account": "#5195CE", + "modified-group-account": "#0A50A1", + "type-changed-group-account": "#82B5D8", + "user-member-enumerated": "#447EBC" + }, + "vis": { + "colors": { + "added-group-account": "#1F78C1", + "added-member-to-group": "#0A437C", + "deleted-group-account": "#5195CE", + "modified-group-account": "#0A50A1", + "removed-member-from-group": "#BADFF4", + "type-changed-group-account": "#82B5D8", + "user-member-enumerated": "#447EBC" + } + } + }, + "gridData": { + "h": 21, + "i": "e0d495aa-f897-403f-815b-6116fae330b7", + "w": 21, + "x": 27, + "y": 27 + }, + "panelIndex": "e0d495aa-f897-403f-815b-6116fae330b7", + "panelRefName": "panel_19", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "663e0493-2070-407b-9d00-079915cce7e7", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "663e0493-2070-407b-9d00-079915cce7e7", + "panelRefName": "panel_20", + "version": "7.7.0" } ], "timeRestore": false, @@ -313,99 +389,109 @@ "type": "visualization" }, { - "id": "b01aaea0-f415-11e9-8405-516218e3d268", + "id": "ffebe440-f419-11e9-8405-516218e3d268", "name": "panel_1", "type": "visualization" }, { - "id": "11b5c0e0-f417-11e9-8405-516218e3d268", + "id": "e22c6f40-f498-11e9-8405-516218e3d268", "name": "panel_2", "type": "visualization" }, { - "id": "ffebe440-f419-11e9-8405-516218e3d268", + "id": "ee292bc0-f499-11e9-8405-516218e3d268", "name": "panel_3", "type": "visualization" }, { - "id": "e22c6f40-f498-11e9-8405-516218e3d268", + "id": "400b63e0-f49a-11e9-8405-516218e3d268", "name": "panel_4", "type": "visualization" }, { - "id": "ee292bc0-f499-11e9-8405-516218e3d268", + "id": "a5f664c0-f49a-11e9-8405-516218e3d268", "name": "panel_5", "type": "visualization" }, { - "id": "400b63e0-f49a-11e9-8405-516218e3d268", + "id": "546febc0-f49b-11e9-8405-516218e3d268", "name": "panel_6", "type": "visualization" }, { - "id": "a5f664c0-f49a-11e9-8405-516218e3d268", + "id": "98884120-f49d-11e9-8405-516218e3d268", "name": "panel_7", "type": "visualization" }, { - "id": "546febc0-f49b-11e9-8405-516218e3d268", + "id": "9e534190-f49d-11e9-8405-516218e3d268", "name": "panel_8", "type": "visualization" }, { - "id": "b948eaf0-f49c-11e9-8405-516218e3d268", + "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", "name": "panel_9", "type": "visualization" }, { - "id": "98884120-f49d-11e9-8405-516218e3d268", + "id": "ce867840-f49e-11e9-8405-516218e3d268", "name": "panel_10", "type": "visualization" }, { - "id": "9e534190-f49d-11e9-8405-516218e3d268", + "id": "fee83900-f49f-11e9-8405-516218e3d268", "name": "panel_11", "type": "visualization" }, { - "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", + "id": "bc165210-f4b8-11e9-8405-516218e3d268", "name": "panel_12", "type": "visualization" }, { - "id": "ce867840-f49e-11e9-8405-516218e3d268", + "id": "7e178c80-fee1-11e9-8405-516218e3d268", "name": "panel_13", - "type": "visualization" + "type": "search" }, { - "id": "fee83900-f49f-11e9-8405-516218e3d268", + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", "name": "panel_14", - "type": "visualization" + "type": "search" }, { - "id": "bc165210-f4b8-11e9-8405-516218e3d268", + "id": "b89b0c90-9b41-11ea-87e4-49f31ec44891", "name": "panel_15", "type": "visualization" }, { - "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "id": "58fb9480-9b46-11ea-87e4-49f31ec44891", "name": "panel_16", - "type": "search" + "type": "visualization" }, { - "id": "24954800-fef0-11e9-8405-516218e3d268", + "id": "33462600-9b47-11ea-87e4-49f31ec44891", "name": "panel_17", "type": "visualization" }, { - "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "id": "e20c02d0-9b48-11ea-87e4-49f31ec44891", "name": "panel_18", - "type": "search" + "type": "visualization" + }, + { + "id": "7de2e3f0-9b4d-11ea-87e4-49f31ec44891", + "name": "panel_19", + "type": "visualization" + }, + { + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", + "name": "panel_20", + "type": "visualization" } ], "type": "dashboard", - "updated_at": "2020-02-04T20:38:59.746Z", - "version": "WzQsMV0=" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEyOSwxXQ==" }, { "attributes": { @@ -426,7 +512,7 @@ "aggs": [], "params": { "fontSize": 10, - "markdown": "# **Group Management Events**\n\n#### This dashboard shows information about Group Management Events collected by winlogbeat\n#\n#\n#\nEvent | Description|Event | Description\n-- | --|--|--\n|4727|A security-enabled global group was created.|4728|A member was added to a security-enabled global group.| \n|4729|A member was removed from a security-enabled global group.|4730|A security-enabled global group was deleted.| \n|4731|A security-enabled local group was created.|4732|A member was added to a security-enabled local group.|\n|4733|A member was removed from a security-enabled local group.|4734|A security-enabled local group was deleted.|\n|4735|A security-enabled local group was changed.|4737|A security-enabled global group was changed.|\n|4754|A security-enabled universal group was created.| 4755|A security-enabled universal group was changed.| \n|4756|A member was added to a security-enabled universal group.|4757|A member was removed from a security-enabled universal group.| \n|4758|A security-enabled universal group was deleted.| 4764|A group\\'s type was changed.|\n|4799|A security-enabled local group membership was enumerated.|", + "markdown": "# **Group Management Events**\n\n#### This dashboard shows information about Group Management Events collected by winlogbeat\n", "openLinksInNewTab": false }, "title": "Group Management Events - Description [Winlogbeat Security]", @@ -435,558 +521,59 @@ }, "id": "6f0f2ea0-f414-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI1LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzMCwxXQ==" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Users Added - Metric [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4732", - "4733", - "4734", - "4735", - "4764", - "4799", - "4727", - "4737", - "4728", - "4729", - "4730", - "4754", - "4755", - "4756", - "4757", - "4758" - ], - "type": "phrases", - "value": "4731, 4732, 4733, 4734, 4735, 4764, 4799, 4727, 4737, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - }, - { - "match_phrase": { - "event.code": "4799" - } - }, - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4758" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Group Management Events - Event Actions - Donut [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metric": { - "accessor": 1, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - }, - "isDonut": true, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "type": "pie" - }, - "title": "Group Management Events - Event Actions - Donut [Winlogbeat Security]", - "type": "pie" - } - }, - "id": "b01aaea0-f415-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI2LDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4727", - "4728", - "4729", - "4730", - "4731", - "4732", - "4733", - "4734", - "4735", - "4737", - "4754", - "4755", - "4756", - "4757", - "4758", - "4764", - "4799" - ], - "type": "phrases", - "value": "4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, 4799" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4758" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - }, - { - "match_phrase": { - "event.code": "4799" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Event Action", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Event Code", - "field": "event.code", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "bucket", - "type": "terms" - } - ], - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 2, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", - "type": "table" - } - }, - "id": "11b5c0e0-f417-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI3LDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Users Added - Metric [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "background_color": "rgba(128,137,0,1)", + "background_color": "rgba(204,204,204,1)", "id": "bfcaced0-f419-11e9-928e-8f5fd2b6c66e", - "operator": "gt", - "value": 1 + "operator": "lte", + "value": 0 }, { - "background_color": "rgba(211,49,21,1)", + "background_color": "rgba(181,99,93,1)", "id": "a7d935e0-f497-11e9-928e-8f5fd2b6c66e", "operator": "gte", - "value": 3 + "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code:4732 OR event.code:4728 OR event.code:4756" + "query": "event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787" }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -1011,7 +598,8 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, "title": "Users Added - Metric [Winlogbeat Security]", @@ -1020,12 +608,12 @@ }, "id": "ffebe440-f419-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:38:59.746Z", - "version": "WzgsMV0=" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzMSwxXQ==" }, { "attributes": { @@ -1039,7 +627,7 @@ } } }, - "title": "Groups Deleted - Metric [Winlogbeat Security]", + "title": "Groups Deleted TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -1056,22 +644,23 @@ "value": 0 }, { - "background_color": "rgba(153,172,99,1)", + "background_color": "rgba(228,155,75,1)", "id": "a7d935e0-f497-11e9-928e-8f5fd2b6c66e", "operator": "gt", "value": 0 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code:4734 OR event.code:4730 OR event.code:4758" + "query": "event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792" }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -1096,21 +685,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Groups Deleted - Metric [Winlogbeat Security]", + "title": "Groups Deleted TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "e22c6f40-f498-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:38:59.746Z", - "version": "WzksMV0=" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzMiwxXQ==" }, { "attributes": { @@ -1124,7 +714,7 @@ } } }, - "title": "Groups Created - Metric [Winlogbeat Security]", + "title": "Groups Created TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -1141,22 +731,23 @@ "value": 0 }, { - "background_color": "rgba(244,78,59,1)", + "background_color": "rgba(181,99,93,1)", "id": "a7d935e0-f497-11e9-928e-8f5fd2b6c66e", "operator": "gt", "value": 0 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" " + "query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" OR event.code:\"4749\" OR event.code:\"4759\" OR event.code:\"4744\" OR event.code:\"4783\" OR event.code:\"4790\" " }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -1181,21 +772,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Groups Created - Metric [Winlogbeat Security]", + "title": "Groups Created TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "ee292bc0-f499-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:38:59.746Z", - "version": "WzEwLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzMywxXQ==" }, { "attributes": { @@ -1209,7 +801,7 @@ } } }, - "title": "Groups Changed - Metric [Winlogbeat Security]", + "title": "Groups Changed TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -1226,22 +818,23 @@ "value": 0 }, { - "background_color": "rgba(252,196,0,1)", + "background_color": "rgba(221,186,64,1)", "id": "a7d935e0-f497-11e9-928e-8f5fd2b6c66e", "operator": "gt", "value": 0 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code:4735 OR event.code:4737 OR event.code:\"4755\" OR event.code:\"4764\" " + "query": "event.code:4735 OR event.code:4737 OR event.code:\"4755\" OR event.code:\"4764\" OR event.code:\"4750\" OR event.code:\"4760\" OR event.code:\"4745\" OR event.code:\"4784\" OR event.code:\"4791\" " }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "60d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -1266,21 +859,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Groups Changed - Metric [Winlogbeat Security]", + "title": "Groups Changed TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "400b63e0-f49a-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:38:59.746Z", - "version": "WzExLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzNCwxXQ==" }, { "attributes": { @@ -1294,7 +888,7 @@ } } }, - "title": "Users Removed - Table [Winlogbeat Security]", + "title": "Users Removed - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -1305,22 +899,29 @@ "axis_scale": "normal", "background_color_rules": [ { - "background_color": "rgba(176,188,0,1)", + "background_color": "rgba(204,204,204,1)", "id": "bfcaced0-f419-11e9-928e-8f5fd2b6c66e", - "operator": "gt", + "operator": "lte", "value": 0 + }, + { + "background_color": "rgba(228,155,75,1)", + "id": "11604700-9b51-11ea-99a1-e5b989979a59", + "operator": "gte", + "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code:4733 OR event.code:4727 OR event.code:4729" + "query": "event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747" }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -1345,21 +946,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Removed - Table [Winlogbeat Security]", + "title": "Users Removed - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "a5f664c0-f49a-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:38:59.746Z", - "version": "WzEyLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzNSwxXQ==" }, { "attributes": { @@ -1373,7 +975,7 @@ } } }, - "title": "Groups Enumeration - Metric [Winlogbeat Security]", + "title": "Groups Enumeration - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -1384,13 +986,20 @@ "axis_scale": "normal", "background_color_rules": [ { - "background_color": "rgba(159,5,0,1)", + "background_color": "rgba(128,128,128,1)", + "color": "rgba(179,179,179,1)", "id": "bfcaced0-f419-11e9-928e-8f5fd2b6c66e", "operator": "gt", "value": 0 + }, + { + "background_color": "rgba(179,179,179,1)", + "id": "8d3f3ed0-9b51-11ea-99a1-e5b989979a59", + "operator": "lte", + "value": 0 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { @@ -1400,6 +1009,7 @@ "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -1424,21 +1034,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Groups Enumeration - Metric [Winlogbeat Security]", + "title": "Groups Enumeration - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "546febc0-f49b-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:38:59.746Z", - "version": "WzEzLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzNiwxXQ==" }, { "attributes": { @@ -1453,55 +1064,26 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4727", - "4728", - "4729", - "4730", - "4731", - "4732", - "4733", - "4734", - "4735", - "4737", - "4754", - "4755", - "4756", - "4757", - "4758", - "4764", - "4799" - ], - "type": "phrases", - "value": "4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, 4799" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4731", + "4727", + "4754", + "4744", + "4759", + "4779", + "4790", + "4783" + ], + "type": "phrases", + "value": "4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ { "match_phrase": { "event.code": "4731" @@ -1509,27 +1091,7 @@ }, { "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" + "event.code": "4727" } }, { @@ -1539,32 +1101,27 @@ }, { "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4756" + "event.code": "4744" } }, { "match_phrase": { - "event.code": "4757" + "event.code": "4759" } }, { "match_phrase": { - "event.code": "4758" + "event.code": "4779" } }, { "match_phrase": { - "event.code": "4764" + "event.code": "4790" } }, { "match_phrase": { - "event.code": "4799" + "event.code": "4783" } } ] @@ -1579,14 +1136,14 @@ } } }, - "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", + "title": "Groups Created - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { - "defaultColors": { - "0 - 1": "rgb(247,251,255)", - "1 - 2": "rgb(198,219,239)", - "2 - 3": "rgb(107,174,214)", - "3 - 4": "rgb(33,113,181)" + "params": { + "sort": { + "columnIndex": null, + "direction": null + } } } }, @@ -1612,16 +1169,17 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 15 + "size": 20 }, - "schema": "segment", + "schema": "bucket", "type": "terms" }, { "enabled": true, "id": "3", "params": { - "field": "event.action", + "customLabel": "Domain", + "field": "group.domain", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -1630,18 +1188,60 @@ "otherBucketLabel": "Other", "size": 5 }, - "schema": "group", + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Performer LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", "type": "terms" } ], "params": { - "addLegend": true, - "addTooltip": true, - "colorSchema": "Blues", - "colorsNumber": 4, - "colorsRange": [], "dimensions": { - "series": [ + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, { "accessor": 1, "aggType": "terms", @@ -1654,24 +1254,37 @@ } }, "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } }, - "params": {} - }, - "y": [ { "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 3, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 4, "aggType": "count", "format": { "id": "number" @@ -1680,38 +1293,24 @@ } ] }, - "enableHover": false, - "invertColors": false, - "legendPosition": "right", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": true - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] + "perPage": 5, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" }, - "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", - "type": "heatmap" + "title": "Groups Created - Table [Winlogbeat Security]", + "type": "table" } }, - "id": "b948eaf0-f49c-11e9-8405-516218e3d268", + "id": "98884120-f49d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1726,8 +1325,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI4LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzNywxXQ==" }, { "attributes": { @@ -1746,12 +1345,18 @@ "key": "event.code", "negate": false, "params": [ - "4731", - "4727", - "4754" + "4735", + "4737", + "4755", + "4750", + "4760", + "4745", + "4791", + "4784", + "4764" ], "type": "phrases", - "value": "4731, 4727, 4754" + "value": "4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764" }, "query": { "bool": { @@ -1759,17 +1364,47 @@ "should": [ { "match_phrase": { - "event.code": "4731" + "event.code": "4735" } }, { "match_phrase": { - "event.code": "4727" + "event.code": "4737" } }, { "match_phrase": { - "event.code": "4754" + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4791" + } + }, + { + "match_phrase": { + "event.code": "4784" + } + }, + { + "match_phrase": { + "event.code": "4764" } } ] @@ -1784,7 +1419,7 @@ } } }, - "title": "Groups Created - Table [Winlogbeat Security]", + "title": "Group Changes - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1942,6 +1577,7 @@ ] }, "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -1951,13 +1587,13 @@ }, "totalFunc": "sum" }, - "title": "Groups Created - Table [Winlogbeat Security]", + "title": "Group Changes - Table [Winlogbeat Security]", "type": "table" } }, - "id": "98884120-f49d-11e9-8405-516218e3d268", + "id": "9e534190-f49d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1972,8 +1608,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzI5LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzOCwxXQ==" }, { "attributes": { @@ -1992,12 +1628,17 @@ "key": "event.code", "negate": false, "params": [ - "4735", - "4737", - "4755" + "4734", + "4730", + "4758", + "4748", + "4763", + "4753", + "4792", + "4789" ], "type": "phrases", - "value": "4735, 4737, 4755" + "value": "4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789" }, "query": { "bool": { @@ -2005,17 +1646,42 @@ "should": [ { "match_phrase": { - "event.code": "4735" + "event.code": "4734" } }, { "match_phrase": { - "event.code": "4737" + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, + { + "match_phrase": { + "event.code": "4748" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4792" } }, { "match_phrase": { - "event.code": "4755" + "event.code": "4789" } } ] @@ -2030,7 +1696,7 @@ } } }, - "title": "Group Changes - Table [Winlogbeat Security]", + "title": "Groups Deleted - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -2188,6 +1854,7 @@ ] }, "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -2197,13 +1864,13 @@ }, "totalFunc": "sum" }, - "title": "Group Changes - Table [Winlogbeat Security]", + "title": "Groups Deleted - Table [Winlogbeat Security]", "type": "table" } }, - "id": "9e534190-f49d-11e9-8405-516218e3d268", + "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2218,8 +1885,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMwLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzEzOSwxXQ==" }, { "attributes": { @@ -2238,12 +1905,17 @@ "key": "event.code", "negate": false, "params": [ - "4734", - "4730", - "4758" + "4732", + "4728", + "4756", + "4751", + "4761", + "4746", + "4785", + "4787" ], "type": "phrases", - "value": "4734, 4730, 4758" + "value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787" }, "query": { "bool": { @@ -2251,17 +1923,42 @@ "should": [ { "match_phrase": { - "event.code": "4734" + "event.code": "4732" } }, { "match_phrase": { - "event.code": "4730" + "event.code": "4728" } }, { "match_phrase": { - "event.code": "4758" + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4785" + } + }, + { + "match_phrase": { + "event.code": "4787" } } ] @@ -2276,7 +1973,7 @@ } } }, - "title": "Groups Deleted - Table [Winlogbeat Security]", + "title": "Users Added - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -2300,6 +1997,23 @@ { "enabled": true, "id": "2", + "params": { + "customLabel": "User", + "field": "winlog.event_data.MemberName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", "params": { "customLabel": "Group", "field": "group.name", @@ -2309,14 +2023,14 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 20 + "size": 10 }, "schema": "bucket", "type": "terms" }, { "enabled": true, - "id": "3", + "id": "4", "params": { "customLabel": "Domain", "field": "group.domain", @@ -2333,10 +2047,10 @@ }, { "enabled": true, - "id": "4", + "id": "5", "params": { "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", + "field": "user.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -2350,9 +2064,9 @@ }, { "enabled": true, - "id": "5", + "id": "6", "params": { - "customLabel": "Performer LogonID", + "customLabel": "Performed by Logon ID", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -2420,11 +2134,24 @@ } }, "params": {} + }, + { + "accessor": 4, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], "metrics": [ { - "accessor": 4, + "accessor": 5, "aggType": "count", "format": { "id": "number" @@ -2434,6 +2161,7 @@ ] }, "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -2443,13 +2171,13 @@ }, "totalFunc": "sum" }, - "title": "Groups Deleted - Table [Winlogbeat Security]", + "title": "Users Added - Table [Winlogbeat Security]", "type": "table" } }, - "id": "bb9cf7a0-f49d-11e9-8405-516218e3d268", + "id": "ce867840-f49e-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2464,8 +2192,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMxLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MCwxXQ==" }, { "attributes": { @@ -2484,12 +2212,17 @@ "key": "event.code", "negate": false, "params": [ - "4732", - "4728", - "4756" + "4733", + "4729", + "4757", + "4786", + "4788", + "4752", + "4762", + "4747" ], "type": "phrases", - "value": "4732, 4728, 4756" + "value": "4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747" }, "query": { "bool": { @@ -2497,17 +2230,42 @@ "should": [ { "match_phrase": { - "event.code": "4732" + "event.code": "4733" } }, { "match_phrase": { - "event.code": "4728" + "event.code": "4729" } }, { "match_phrase": { - "event.code": "4756" + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4786" + } + }, + { + "match_phrase": { + "event.code": "4788" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4747" } } ] @@ -2522,7 +2280,7 @@ } } }, - "title": "Users Added - Table [Winlogbeat Security]", + "title": "Users Removed from Group - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -2710,6 +2468,7 @@ ] }, "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -2719,13 +2478,13 @@ }, "totalFunc": "sum" }, - "title": "Users Added - Table [Winlogbeat Security]", + "title": "Users Removed from Group - Table [Winlogbeat Security]", "type": "table" } }, - "id": "ce867840-f49e-11e9-8405-516218e3d268", + "id": "fee83900-f49f-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2740,8 +2499,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMyLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MSwxXQ==" }, { "attributes": { @@ -2760,12 +2519,10 @@ "key": "event.code", "negate": false, "params": [ - "4733", - "4729", - "4757" + "4799" ], "type": "phrases", - "value": "4733, 4729, 4757" + "value": "4799" }, "query": { "bool": { @@ -2773,17 +2530,7 @@ "should": [ { "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4757" + "event.code": "4799" } } ] @@ -2798,7 +2545,7 @@ } } }, - "title": "Users Removed from Group - Table [Winlogbeat Security]", + "title": "Group Enumeration - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -2822,23 +2569,6 @@ { "enabled": true, "id": "2", - "params": { - "customLabel": "User", - "field": "winlog.event_data.MemberName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", "params": { "customLabel": "Group", "field": "group.name", @@ -2848,14 +2578,14 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 10 + "size": 20 }, "schema": "bucket", "type": "terms" }, { "enabled": true, - "id": "4", + "id": "3", "params": { "customLabel": "Domain", "field": "group.domain", @@ -2872,9 +2602,9 @@ }, { "enabled": true, - "id": "5", + "id": "4", "params": { - "customLabel": "Performed by", + "customLabel": "Creator", "field": "winlog.event_data.SubjectUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -2889,9 +2619,9 @@ }, { "enabled": true, - "id": "6", + "id": "5", "params": { - "customLabel": "Performed by Logon ID", + "customLabel": "Creator LogonID", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -2959,49 +2689,118 @@ } }, "params": {} - }, - { - "accessor": 4, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} } ], "metrics": [ { - "accessor": 5, + "accessor": 4, "aggType": "count", "format": { "id": "number" }, "params": {} } - ] - }, - "perPage": 5, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + ] + }, + "perPage": 5, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Group Enumeration - Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "bc165210-f4b8-11e9-8405-516218e3d268", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MiwxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4624" + ], + "type": "phrases", + "value": "4624" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4624" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" }, - "totalFunc": "sum" - }, - "title": "Users Removed from Group - Table [Winlogbeat Security]", - "type": "table" - } + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Winlogbeat Security]", + "version": 1 }, - "id": "fee83900-f49f-11e9-8405-516218e3d268", + "id": "7e178c80-fee1-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "search": "7.4.0" }, "references": [ { @@ -3015,13 +2814,22 @@ "type": "index-pattern" } ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzMzLDFd" + "type": "search", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MywxXQ==" }, { "attributes": { + "columns": [ + "event.action", + "group.name", + "group.domain", + "user.name", + "user.domain", + "host.name" + ], "description": "", + "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -3036,43 +2844,258 @@ "key": "event.code", "negate": false, "params": [ - "4799" + "4731", + "4732", + "4733", + "4734", + "4735", + "4737", + "4764", + "4727", + "4728", + "4729", + "4730", + "4754", + "4755", + "4756", + "4757", + "4758", + "4799", + "4749", + "4750", + "4751", + "4752", + "4753", + "4759", + "4760", + "4761", + "4762", + "4763", + "4744", + "4745", + "4746", + "4748" ], "type": "phrases", - "value": "4799" + "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" }, "query": { "bool": { "minimum_should_match": 1, "should": [ + { + "match_phrase": { + "event.code": "4731" + } + }, + { + "match_phrase": { + "event.code": "4732" + } + }, + { + "match_phrase": { + "event.code": "4733" + } + }, + { + "match_phrase": { + "event.code": "4734" + } + }, + { + "match_phrase": { + "event.code": "4735" + } + }, + { + "match_phrase": { + "event.code": "4737" + } + }, + { + "match_phrase": { + "event.code": "4764" + } + }, + { + "match_phrase": { + "event.code": "4727" + } + }, + { + "match_phrase": { + "event.code": "4728" + } + }, + { + "match_phrase": { + "event.code": "4729" + } + }, + { + "match_phrase": { + "event.code": "4730" + } + }, + { + "match_phrase": { + "event.code": "4754" + } + }, + { + "match_phrase": { + "event.code": "4755" + } + }, + { + "match_phrase": { + "event.code": "4756" + } + }, + { + "match_phrase": { + "event.code": "4757" + } + }, + { + "match_phrase": { + "event.code": "4758" + } + }, { "match_phrase": { "event.code": "4799" } + }, + { + "match_phrase": { + "event.code": "4749" + } + }, + { + "match_phrase": { + "event.code": "4750" + } + }, + { + "match_phrase": { + "event.code": "4751" + } + }, + { + "match_phrase": { + "event.code": "4752" + } + }, + { + "match_phrase": { + "event.code": "4753" + } + }, + { + "match_phrase": { + "event.code": "4759" + } + }, + { + "match_phrase": { + "event.code": "4760" + } + }, + { + "match_phrase": { + "event.code": "4761" + } + }, + { + "match_phrase": { + "event.code": "4762" + } + }, + { + "match_phrase": { + "event.code": "4763" + } + }, + { + "match_phrase": { + "event.code": "4744" + } + }, + { + "match_phrase": { + "event.code": "4745" + } + }, + { + "match_phrase": { + "event.code": "4746" + } + }, + { + "match_phrase": { + "event.code": "4748" + } } ] } } } ], + "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { - "language": "kuery", + "language": "lucene", "query": "" - } + }, + "version": true } }, - "title": "Group Enumeration - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Group Management Details - Search View [Winlogbeat Security]", + "version": 1 + }, + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" } } }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Event Actions [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ @@ -3087,25 +3110,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Domain", - "field": "group.domain", + "field": "event.action", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -3114,32 +3119,72 @@ "otherBucketLabel": "Other", "size": 5 }, - "schema": "bucket", + "schema": "segment", "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Group Management Events - Event Actions [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "b89b0c90-9b41-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Target Groups - Tag Cloud [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ { "enabled": true, - "id": "4", - "params": { - "customLabel": "Creator", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" }, { "enabled": true, - "id": "5", + "id": "2", "params": { - "customLabel": "Creator LogonID", - "field": "winlog.logon.id", + "field": "group.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -3148,332 +3193,259 @@ "otherBucketLabel": "Other", "size": 5 }, - "schema": "bucket", + "schema": "segment", "type": "terms" } ], "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 4, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" + "maxFontSize": 58, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false }, - "title": "Group Enumeration - Table [Winlogbeat Security]", - "type": "table" + "title": "Group Management Events - Target Groups - Tag Cloud [Winlogbeat Security]", + "type": "tagcloud" } }, - "id": "bc165210-f4b8-11e9-8405-516218e3d268", + "id": "58fb9480-9b46-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzM0LDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NiwxXQ==" }, { "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4624" - ], - "type": "phrases", - "value": "4624" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4624" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { "language": "kuery", "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "event.action", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "bucket", + "type": "terms" }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Winlogbeat Security]", - "version": 1 + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "event.code", + "field": "event.code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Group Management Events - Event Actions - Table [Winlogbeat Security]", + "type": "table" + } }, - "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "id": "33462600-9b47-11ea-87e4-49f31ec44891", "migrationVersion": { - "search": "7.4.0" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], - "type": "search", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkyLDFd" + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0NywxXQ==" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Target Groups", + "field": "group.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Actions", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "colorSchema": "Blues", + "colorsNumber": 4, + "colorsRange": [], + "enableHover": false, + "invertColors": false, + "legendPosition": "right", + "percentageMode": false, + "setColorRange": false, + "times": [], + "type": "heatmap", + "valueAxes": [ { - "$state": { - "store": "appState" + "id": "ValueAxis-1", + "labels": { + "color": "black", + "overwriteColor": false, + "rotate": 0, + "show": true }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4732", - "4733", - "4734", - "4735", - "4737", - "4764", - "4799", - "4727", - "4728", - "4729", - "4730", - "4754", - "4755", - "4756", - "4757", - "4758" - ], - "type": "phrases", - "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4799, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758" + "scale": { + "defaultYExtents": false, + "type": "linear" }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - }, - { - "match_phrase": { - "event.code": "4799" - } - }, - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4758" - } - } - ] - } - } + "show": false, + "type": "value" } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + ] + }, + "title": "Group Management Events - Groups vs Actions - Heatmap [Winlogbeat Security]", + "type": "heatmap" + } + }, + "id": "e20c02d0-9b48-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], "query": { - "language": "lucene", + "language": "kuery", "query": "" } } }, + "savedSearchRefName": "search_0", "title": "Group Management Action Distribution over Time [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, @@ -3495,6 +3467,7 @@ "field": "@timestamp", "interval": "auto", "min_doc_count": 1, + "scaleMetricValues": false, "timeRange": { "from": "now-30d", "to": "now" @@ -3515,7 +3488,7 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 5 + "size": 25 }, "schema": "group", "type": "terms" @@ -3543,72 +3516,14 @@ "type": "category" } ], - "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "YYYY-MM-DD HH:mm" - } - }, - "params": { - "bounds": { - "max": "2019-11-04T10:56:42.142Z", - "min": "2019-10-05T09:56:42.142Z" - }, - "date": true, - "format": "YYYY-MM-DD HH:mm", - "interval": "PT12H" - } - }, - "y": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, "grid": { - "categoryLines": false + "categoryLines": false, + "valueAxis": "" }, "labels": { - "show": true + "show": false }, - "legendPosition": "bottom", + "legendPosition": "right", "seriesParams": [ { "data": { @@ -3616,13 +3531,21 @@ "label": "Count" }, "drawLinesBetweenPoints": true, + "lineWidth": 2, "mode": "stacked", - "show": "true", + "show": true, "showCircles": true, "type": "histogram", "valueAxis": "ValueAxis-1" } ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, "times": [], "type": "histogram", "valueAxes": [ @@ -3653,205 +3576,56 @@ "type": "histogram" } }, - "id": "24954800-fef0-11e9-8405-516218e3d268", + "id": "7de2e3f0-9b4d-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzQyLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0OSwxXQ==" }, { "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "winlog.event_data.SubjectUserName", - "user.domain", - "host.name" - ], "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4732", - "4733", - "4734", - "4735", - "4737", - "4764", - "4799", - "4727", - "4728", - "4729", - "4730", - "4754", - "4755", - "4756", - "4757", - "4758" - ], - "type": "phrases", - "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4799, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - }, - { - "match_phrase": { - "event.code": "4799" - } - }, - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4758" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { - "language": "lucene", + "language": "kuery", "query": "" - }, - "version": true + } } }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Winlogbeat Security]", - "version": 1 + "title": "Dashboard links [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat Overview](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Winlogbeat Security]", + "type": "markdown" + } }, - "id": "9066d5b0-fef2-11e9-8405-516218e3d268", + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", "migrationVersion": { - "search": "7.4.0" + "visualization": "7.7.0" }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search", - "updated_at": "2020-02-04T20:39:00.715Z", - "version": "WzQzLDFd" + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:49:11.152Z", + "version": "WzI1MCwxXQ==" } ], - "version": "7.5.2" + "version": "7.7.0" } diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-logons-tsvb.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-logons-tsvb.json new file mode 100644 index 00000000000..67f5233b680 --- /dev/null +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-logons-tsvb.json @@ -0,0 +1,1931 @@ +{ + "objects": [ + { + "attributes": { + "description": "User logon activity dashboard with TSVB metrics.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "Sesiones Usuarios Admin" + }, + "gridData": { + "h": 28, + "i": "1", + "w": 18, + "x": 0, + "y": 38 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "title": "Sesiones Usuarios Admin", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 13, + "i": "2", + "w": 9, + "x": 0, + "y": 6 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Usuarios Adm" + }, + "gridData": { + "h": 19, + "i": "3", + "w": 18, + "x": 0, + "y": 19 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "title": "Usuarios Adm", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "4", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Network Logon Details" + }, + "gridData": { + "h": 27, + "i": "10", + "w": 22, + "x": 0, + "y": 66 + }, + "panelIndex": "10", + "panelRefName": "panel_4", + "title": "Network Logon Details", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "08245e0c-6afe-43ea-ba5f-76c3b17301fd", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "08245e0c-6afe-43ea-ba5f-76c3b17301fd", + "panelRefName": "panel_5", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 13, + "i": "f403fdcc-6588-4573-a949-9e661783a2b8", + "w": 9, + "x": 9, + "y": 6 + }, + "panelIndex": "f403fdcc-6588-4573-a949-9e661783a2b8", + "panelRefName": "panel_6", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Events Timeline" + }, + "gridData": { + "h": 13, + "i": "51a9affa-8e96-42bd-98e9-80531bdefc53", + "w": 30, + "x": 18, + "y": 6 + }, + "panelIndex": "51a9affa-8e96-42bd-98e9-80531bdefc53", + "panelRefName": "panel_7", + "title": "Logon Events Timeline", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Types" + }, + "gridData": { + "h": 19, + "i": "bbdca4de-11c5-4957-a74c-73769416a562", + "w": 12, + "x": 18, + "y": 19 + }, + "panelIndex": "bbdca4de-11c5-4957-a74c-73769416a562", + "panelRefName": "panel_8", + "title": "Logon Types", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "4df66ae6-e047-47c7-b1a9-b15221eb9d90", + "w": 18, + "x": 30, + "y": 19 + }, + "panelIndex": "4df66ae6-e047-47c7-b1a9-b15221eb9d90", + "panelRefName": "panel_9", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "RDP Reconnections and Desconnections" + }, + "gridData": { + "h": 28, + "i": "454bb008-9720-455e-8ab9-b2f47d25aa4f", + "w": 19, + "x": 18, + "y": 38 + }, + "panelIndex": "454bb008-9720-455e-8ab9-b2f47d25aa4f", + "panelRefName": "panel_10", + "title": "RDP Reconnections and Desconnections", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 28, + "i": "baec73e7-7166-4577-9483-1252bdd8773c", + "w": 11, + "x": 37, + "y": 38 + }, + "panelIndex": "baec73e7-7166-4577-9483-1252bdd8773c", + "panelRefName": "panel_11", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logout Details" + }, + "gridData": { + "h": 27, + "i": "28115147-8399-4fcd-95ce-ed0a4f4239e3", + "w": 26, + "x": 22, + "y": 66 + }, + "panelIndex": "28115147-8399-4fcd-95ce-ed0a4f4239e3", + "panelRefName": "panel_12", + "title": "Logout Details", + "version": "7.7.0" + } + ], + "timeRestore": false, + "title": "[Winlogbeat Security] User Logons - Simple Metrics", + "version": 1 + }, + "id": "035846a0-a249-11e9-a422-d144027429da", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "804dd400-a248-11e9-a422-d144027429da", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "5bb93ed0-a249-11e9-a422-d144027429da", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "e2516c10-a249-11e9-a422-d144027429da", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "18348f30-a24d-11e9-a422-d144027429da", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "ce71c9a0-a25e-11e9-a422-d144027429da", + "name": "panel_4", + "type": "search" + }, + { + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "2c71e0f0-9c0d-11ea-87e4-49f31ec44891", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "abd44840-9c0f-11ea-87e4-49f31ec44891", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "006d75f0-9c03-11ea-87e4-49f31ec44891", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "21aadac0-9c0b-11ea-87e4-49f31ec44891", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", + "name": "panel_10", + "type": "search" + }, + { + "id": "25f31ee0-9c23-11ea-87e4-49f31ec44891", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "06b6b060-7a80-11ea-bc9a-0baf2ca323a3", + "name": "panel_12", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-06-04T16:26:23.176Z", + "version": "WzQzLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4672" + ], + "type": "phrases", + "value": "4672" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4672" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logged on Administrators [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Date", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-20T07:35:27.496Z", + "to": "2020-05-22T00:01:10.239Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "bucket", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "user.name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "8", + "params": { + "customLabel": "# Thread", + "field": "winlog.process.thread.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "9", + "params": { + "customLabel": "LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "YYYY-MM-DD HH:mm" + } + }, + "label": "Fecha - Hora ", + "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "Usuario", + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "number", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "# Thread", + "params": {} + }, + { + "accessor": 3, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "winlog.logon.id: Descending", + "params": {} + } + ], + "metrics": [ + { + "accessor": 4, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Cantidad Eventos ", + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Logged on Administrators [Winlogbeat Security]", + "type": "table" + } + }, + "id": "804dd400-a248-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4672" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4672", + "type": "phrase" + } + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Admin Logons Simple [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Admin Logons" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Admin Logons Simple [Winlogbeat Security]", + "type": "metric" + } + }, + "id": "5bb93ed0-a249-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:23.176Z", + "version": "WzQ1LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4672" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4672", + "type": "phrase" + } + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Administrator Users [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "winlog.logon.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "user.name: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "label": "Unique count of winlog.logon.id", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "type": "pie" + }, + "title": "Administrator Users [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "e2516c10-a249-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "User Logon Dashboard [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 10, + "markdown": "## **Logon Information Dashboard**", + "openLinksInNewTab": false + }, + "title": "User Logon Dashboard [Winlogbeat Security] ", + "type": "markdown" + } + }, + "id": "18348f30-a24d-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExNywxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "winlog.logon.type", + "source.domain", + "source.ip", + "winlog.logon.id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4624" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4624", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logons [Winlogbeat Security]", + "version": 1 + }, + "id": "ce71c9a0-a25e-11e9-a422-d144027429da", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExOCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboard links - Simple [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat General ECS Dashboard](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/01c54730-fee6-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links - Simple [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4624" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4624" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logons Simple [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Logons" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Logons Simple [Winlogbeat Security]", + "type": "metric" + } + }, + "id": "2c71e0f0-9c0d-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:23.176Z", + "version": "WzUwLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4624", + "4672" + ], + "type": "phrases", + "value": "4624, 4672" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4624" + } + }, + { + "match_phrase": { + "event.code": "4672" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Events in Time - Simple [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "colors": { + "Admin Logons": "#E24D42", + "Logon Events": "#447EBC" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-20T07:35:27.496Z", + "to": "2020-05-22T00:01:10.239Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "event.code: \"4624\" " + }, + "label": "Logon Events" + }, + { + "input": { + "language": "kuery", + "query": "event.code: \"4672\" " + }, + "label": "Admin Logons" + } + ] + }, + "schema": "group", + "type": "filters" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": {}, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "cardinal", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Logon Events in Time - Simple [Winlogbeat Security]", + "type": "line" + } + }, + "id": "abd44840-9c0f-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:23.176Z", + "version": "WzUxLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4624" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4624" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Types [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "winlog.logon.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "winlog.logon.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "user.name: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "label": "Unique count of winlog.logon.id", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Logon Types [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "006d75f0-9c03-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyMywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Logon Sources [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 15 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Logon Sources [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "21aadac0-9c0b-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNCwxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4778", + "4779" + ], + "type": "phrases", + "value": "4778, 4779" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4778" + } + }, + { + "match_phrase": { + "event.code": "4779" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Remote Interactive Connections and Disconnections [Winlogbeat Security]", + "version": 1 + }, + "id": "6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4648" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4648" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon with Explicit Credentials [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "user.name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 200 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "subjectUserName", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "source.ip", + "field": "source.ip", + "json": "{\"missing\": \"::\"}", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Logon with Explicit Credentials [Winlogbeat Security]", + "type": "table" + } + }, + "id": "25f31ee0-9c23-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNiwxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "user.domain", + "winlog.logon.id", + "event.action", + "winlog.logon.type", + "winlog.event_data.SubjectUserName" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4625" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logouts [Winlogbeat Security]", + "version": 1 + }, + "id": "06b6b060-7a80-11ea-bc9a-0baf2ca323a3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNywxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4624" + ], + "type": "phrases", + "value": "4624" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4624" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Winlogbeat Security]", + "version": 1 + }, + "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MywxXQ==" + } + ], + "version": "7.7.0" +} diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-logons.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-logons.json new file mode 100644 index 00000000000..c6a05f7bdca --- /dev/null +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-logons.json @@ -0,0 +1,1785 @@ +{ + "objects": [ + { + "attributes": { + "description": "User logon activity dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "Admin Users Sessions" + }, + "gridData": { + "h": 28, + "i": "1", + "w": 18, + "x": 0, + "y": 34 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "title": "Admin Users Sessions", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "AdminLocalSta": "#890F02", + "SERVICIO LOCAL": "#508642" + }, + "legendOpen": true, + "title": "Administrators Logged On", + "vis": { + "colors": { + "AdminLocalSta": "#890F02", + "NETWORK SERVICE": "#1F78C1", + "SERVICIO LOCAL": "#508642" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 18, + "i": "3", + "w": 18, + "x": 0, + "y": 16 + }, + "panelIndex": "3", + "panelRefName": "panel_1", + "title": "Administrators Logged On", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "4", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "4", + "panelRefName": "panel_2", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Details" + }, + "gridData": { + "h": 47, + "i": "10", + "w": 23, + "x": 0, + "y": 62 + }, + "panelIndex": "10", + "panelRefName": "panel_3", + "title": "Logon Details", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "34fc9633-8a7c-444d-8d19-06095b55fb43", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "34fc9633-8a7c-444d-8d19-06095b55fb43", + "panelRefName": "panel_4", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 10, + "i": "67d2409d-3e51-45d5-972f-32a36537e622", + "w": 9, + "x": 0, + "y": 6 + }, + "panelIndex": "67d2409d-3e51-45d5-972f-32a36537e622", + "panelRefName": "panel_5", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 10, + "i": "33d05ce3-f60d-4a31-a668-aa6fab0cc800", + "w": 9, + "x": 9, + "y": 6 + }, + "panelIndex": "33d05ce3-f60d-4a31-a668-aa6fab0cc800", + "panelRefName": "panel_6", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logon Events Timeline" + }, + "gridData": { + "h": 13, + "i": "7b3906e6-3a81-450c-bb31-ca0d670440b7", + "w": 30, + "x": 18, + "y": 6 + }, + "panelIndex": "7b3906e6-3a81-450c-bb31-ca0d670440b7", + "panelRefName": "panel_7", + "title": "Logon Events Timeline", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "CachedInteractive": "#6ED0E0", + "Interactive": "#2F575E", + "Network": "#447EBC", + "RemoteInteractive": "#64B0C8", + "Service": "#6ED0E0", + "Unlock": "#BADFF4" + }, + "legendOpen": true, + "title": "Logon Types", + "vis": { + "colors": { + "CachedInteractive": "#6ED0E0", + "Interactive": "#2F575E", + "Network": "#447EBC", + "RemoteInteractive": "#64B0C8", + "Service": "#65C5DB", + "Unlock": "#BADFF4" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 15, + "i": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", + "w": 15, + "x": 18, + "y": 19 + }, + "panelIndex": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", + "panelRefName": "panel_8", + "title": "Logon Types", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "a743ffe5-a2ac-4c0b-9b6f-a81563140c42", + "w": 15, + "x": 33, + "y": 19 + }, + "panelIndex": "a743ffe5-a2ac-4c0b-9b6f-a81563140c42", + "panelRefName": "panel_9", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "RDP Reconnections and Desconnections" + }, + "gridData": { + "h": 28, + "i": "454bb008-9720-455e-8ab9-b2f47d25aa4f", + "w": 18, + "x": 18, + "y": 34 + }, + "panelIndex": "454bb008-9720-455e-8ab9-b2f47d25aa4f", + "panelRefName": "panel_10", + "title": "RDP Reconnections and Desconnections", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 28, + "i": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", + "w": 12, + "x": 36, + "y": 34 + }, + "panelIndex": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", + "panelRefName": "panel_11", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Logout Details" + }, + "gridData": { + "h": 46, + "i": "28115147-8399-4fcd-95ce-ed0a4f4239e3", + "w": 25, + "x": 23, + "y": 62 + }, + "panelIndex": "28115147-8399-4fcd-95ce-ed0a4f4239e3", + "panelRefName": "panel_12", + "title": "Logout Details", + "version": "7.7.0" + } + ], + "timeRestore": false, + "title": "[Winlogbeat Security] User Logons", + "version": 1 + }, + "id": "bae11b00-9bfc-11ea-87e4-49f31ec44891", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "804dd400-a248-11e9-a422-d144027429da", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "e2516c10-a249-11e9-a422-d144027429da", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "18348f30-a24d-11e9-a422-d144027429da", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "ce71c9a0-a25e-11e9-a422-d144027429da", + "name": "panel_3", + "type": "search" + }, + { + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "0622da40-9bfd-11ea-87e4-49f31ec44891", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "860706a0-9bfd-11ea-87e4-49f31ec44891", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "a909b930-685f-11ea-896f-0d70f7ec3956", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "006d75f0-9c03-11ea-87e4-49f31ec44891", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "21aadac0-9c0b-11ea-87e4-49f31ec44891", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", + "name": "panel_10", + "type": "search" + }, + { + "id": "25f31ee0-9c23-11ea-87e4-49f31ec44891", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "06b6b060-7a80-11ea-bc9a-0baf2ca323a3", + "name": "panel_12", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExNCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4672" + ], + "type": "phrases", + "value": "4672" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4672" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logged on Administrators [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Date", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "2020-05-20T07:35:27.496Z", + "to": "2020-05-22T00:01:10.239Z" + }, + "useNormalizedEsInterval": true + }, + "schema": "bucket", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "user.name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "8", + "params": { + "customLabel": "# Thread", + "field": "winlog.process.thread.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "9", + "params": { + "customLabel": "LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "date_histogram", + "format": { + "id": "date", + "params": { + "pattern": "YYYY-MM-DD HH:mm" + } + }, + "label": "Fecha - Hora ", + "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "Usuario", + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "number", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "# Thread", + "params": {} + }, + { + "accessor": 3, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "winlog.logon.id: Descending", + "params": {} + } + ], + "metrics": [ + { + "accessor": 4, + "aggType": "count", + "format": { + "id": "number" + }, + "label": "Cantidad Eventos ", + "params": {} + } + ] + }, + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Logged on Administrators [Winlogbeat Security]", + "type": "table" + } + }, + "id": "804dd400-a248-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4672" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4672", + "type": "phrase" + } + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Administrator Users [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "winlog.logon.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "user.name: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "label": "Unique count of winlog.logon.id", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "type": "pie" + }, + "title": "Administrator Users [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "e2516c10-a249-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "User Logon Dashboard [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 10, + "markdown": "## **Logon Information Dashboard**", + "openLinksInNewTab": false + }, + "title": "User Logon Dashboard [Winlogbeat Security] ", + "type": "markdown" + } + }, + "id": "18348f30-a24d-11e9-a422-d144027429da", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExNywxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "winlog.logon.type", + "source.domain", + "source.ip", + "winlog.logon.id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4624" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.code": { + "query": "4624", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logons [Winlogbeat Security]", + "version": 1 + }, + "id": "ce71c9a0-a25e-11e9-a422-d144027429da", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzExOCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboard links [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat Overview](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:49:11.152Z", + "version": "WzI1MCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Administrator Logons [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(204,204,204,1)", + "id": "d5bcde50-9bfc-11ea-aaa3-618beeff2d9c", + "operator": "lte", + "value": 0 + }, + { + "background_color": "rgba(181,49,0,1)", + "id": "16018150-9bfd-11ea-aaa3-618beeff2d9c", + "operator": "gte", + "value": 0 + } + ], + "default_index_pattern": "packetbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "event.code: \"4672\"" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "winlogbeat-*", + "interval": "90d", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Administrator Logons", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Administrator Logons [Winlogbeat Security]", + "type": "metrics" + } + }, + "id": "0622da40-9bfd-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyMCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "User Logons [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(204,204,204,1)", + "id": "d5bcde50-9bfc-11ea-aaa3-618beeff2d9c", + "operator": "lte", + "value": 0 + }, + { + "background_color": "rgba(7,139,141,1)", + "id": "16018150-9bfd-11ea-aaa3-618beeff2d9c", + "operator": "gte", + "value": 0 + } + ], + "default_index_pattern": "packetbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "event.code: \"4624\"" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "winlogbeat-*", + "interval": "90d", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Logons ", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "User Logons [Winlogbeat Security]", + "type": "metrics" + } + }, + "id": "860706a0-9bfd-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyMSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Events Timeline [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "packetbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "event.code: \"4672\" or event.code: \"4624\" " + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "winlogbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_filters": [ + { + "color": "rgba(226,115,0,1)", + "filter": { + "language": "kuery", + "query": "event.code: \"4672\"" + }, + "id": "7560ee50-685f-11ea-8d46-c19e41702dd4", + "label": "Admin logons" + }, + { + "color": "rgba(164,221,243,1)", + "filter": { + "language": "kuery", + "query": "event.code: \"4624\"" + }, + "id": "80e7fb10-685f-11ea-8d46-c19e41702dd4", + "label": "Logon Events" + } + ], + "split_mode": "filters", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Logon Events Timeline [Winlogbeat Security]", + "type": "metrics" + } + }, + "id": "a909b930-685f-11ea-896f-0d70f7ec3956", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyMiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4624" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4624" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon Types [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "winlog.logon.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "winlog.logon.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other", + "parsedUrl": { + "basePath": "/s/siem", + "origin": "https://192.168.1.72:5601", + "pathname": "/s/siem/app/kibana" + } + } + }, + "label": "user.name: Descending", + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "cardinality", + "format": { + "id": "number" + }, + "label": "Unique count of winlog.logon.id", + "params": {} + } + }, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Logon Types [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "006d75f0-9c03-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyMywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Logon Sources [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 15 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Logon Sources [Winlogbeat Security]", + "type": "tagcloud" + } + }, + "id": "21aadac0-9c0b-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNCwxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4778", + "4779" + ], + "type": "phrases", + "value": "4778, 4779" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4778" + } + }, + { + "match_phrase": { + "event.code": "4779" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Remote Interactive Connections and Disconnections [Winlogbeat Security]", + "version": 1 + }, + "id": "6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4648" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4648" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Logon with Explicit Credentials [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "user.name", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 200 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "subjectUserName", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "source.ip", + "field": "source.ip", + "json": "{\"missing\": \"::\"}", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Logon with Explicit Credentials [Winlogbeat Security]", + "type": "table" + } + }, + "id": "25f31ee0-9c23-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNiwxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "user.domain", + "winlog.logon.id", + "event.action", + "winlog.logon.type", + "winlog.event_data.SubjectUserName" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4625" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.code": "4625" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "winlog.provider_name", + "negate": false, + "params": { + "query": "Microsoft-Windows-Security-Auditing" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "winlog.provider_name": "Microsoft-Windows-Security-Auditing" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logouts [Winlogbeat Security]", + "version": 1 + }, + "id": "06b6b060-7a80-11ea-bc9a-0baf2ca323a3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:26.182Z", + "version": "WzEyNywxXQ==" + }, + { + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4624" + ], + "type": "phrases", + "value": "4624" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4624" + } + } + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Winlogbeat Security]", + "version": 1 + }, + "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MywxXQ==" + } + ], + "version": "7.7.0" +} diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-management-tsvb.json similarity index 80% rename from x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json rename to x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-management-tsvb.json index 5e7bc0d2665..c0d67840468 100644 --- a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-management-tsvb.json @@ -2,7 +2,7 @@ "objects": [ { "attributes": { - "description": "Uses Simple Metric Visualizations", + "description": "User management activity with TSVB metrics.", "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -15,13 +15,15 @@ }, "optionsJSON": { "hidePanelTitles": false, - "useMargins": true + "useMargins": false }, "panelsJSON": [ { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 19, + "h": 7, "i": "1", "w": 17, "x": 0, @@ -29,315 +31,268 @@ }, "panelIndex": "1", "panelRefName": "panel_0", - "title": "", - "version": "7.3.0" + "version": "7.7.0" }, { "embeddableConfig": { - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 19, - "i": "2", - "w": 18, - "x": 17, - "y": 0 + "title": "Created Users [Winlogbeat Security]" }, - "panelIndex": "2", - "panelRefName": "panel_1", - "title": "User Management Actions [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, "gridData": { "h": 16, "i": "3", "w": 9, "x": 0, - "y": 44 + "y": 55 }, "panelIndex": "3", - "panelRefName": "panel_2", + "panelRefName": "panel_1", "title": "Created Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, - "gridData": { - "h": 19, - "i": "4", - "w": 13, - "x": 35, - "y": 0 + "embeddableConfig": { + "title": "Enabled Users [Winlogbeat Security]" }, - "panelIndex": "4", - "panelRefName": "panel_3", - "title": "Event Codes [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, "gridData": { "h": 16, "i": "5", "w": 9, "x": 9, - "y": 44 + "y": 55 }, "panelIndex": "5", - "panelRefName": "panel_4", + "panelRefName": "panel_2", "title": "Enabled Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Disabled Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "6", "w": 9, "x": 0, - "y": 66 + "y": 80 }, "panelIndex": "6", - "panelRefName": "panel_5", + "panelRefName": "panel_3", "title": "Disabled Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Deleted Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "7", "w": 9, "x": 18, - "y": 44 + "y": 55 }, "panelIndex": "7", - "panelRefName": "panel_6", + "panelRefName": "panel_4", "title": "Deleted Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { "embeddableConfig": { - "vis": { - "defaultColors": { - "0 - 4": "rgb(247,252,245)", - "12 - 16": "rgb(35,139,69)", - "4 - 8": "rgb(199,233,192)", - "8 - 12": "rgb(116,196,118)" - }, - "legendOpen": false - } - }, - "gridData": { - "h": 20, - "i": "8", - "w": 48, - "x": 0, - "y": 19 + "title": "Passwords Changes [Winlogbeat Security]" }, - "panelIndex": "8", - "panelRefName": "panel_7", - "title": "Actions performed over Users [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, "gridData": { "h": 16, "i": "9", "w": 9, "x": 18, - "y": 66 + "y": 80 }, "panelIndex": "9", - "panelRefName": "panel_8", + "panelRefName": "panel_5", "title": "Passwords Changes [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 5, + "h": 9, "i": "10", "w": 9, "x": 0, - "y": 39 + "y": 46 }, "panelIndex": "10", - "panelRefName": "panel_9", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_6", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 5, + "h": 9, "i": "11", "w": 9, "x": 9, - "y": 39 + "y": 46 }, "panelIndex": "11", - "panelRefName": "panel_10", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_7", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 5, + "h": 9, "i": "12", "w": 9, "x": 18, - "y": 39 + "y": 46 }, "panelIndex": "12", - "panelRefName": "panel_11", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_8", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 6, + "h": 9, "i": "13", "w": 9, "x": 0, - "y": 60 + "y": 71 }, "panelIndex": "13", - "panelRefName": "panel_12", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_9", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 6, + "h": 9, "i": "14", "w": 9, "x": 18, - "y": 60 + "y": 71 }, "panelIndex": "14", - "panelRefName": "panel_13", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_10", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Unlocked Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "15", "w": 9, "x": 9, - "y": 66 + "y": 80 }, "panelIndex": "15", - "panelRefName": "panel_14", + "panelRefName": "panel_11", "title": "Unlocked Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Users Changes [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "16", "w": 9, "x": 18, - "y": 88 + "y": 105 }, "panelIndex": "16", - "panelRefName": "panel_15", + "panelRefName": "panel_12", "title": "Users Changes [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 6, + "h": 9, "i": "17", "w": 9, "x": 0, - "y": 82 + "y": 96 }, "panelIndex": "17", - "panelRefName": "panel_16", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_13", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 6, + "h": 9, "i": "18", "w": 9, "x": 9, - "y": 60 + "y": 71 }, "panelIndex": "18", - "panelRefName": "panel_17", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_14", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 6, + "h": 9, "i": "19", "w": 9, "x": 18, - "y": 82 + "y": 96 }, "panelIndex": "19", - "panelRefName": "panel_18", - "title": "", - "version": "7.3.0" + "panelRefName": "panel_15", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Locked-out Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "20", "w": 9, "x": 0, - "y": 88 + "y": 105 }, "panelIndex": "20", - "panelRefName": "panel_19", + "panelRefName": "panel_16", "title": "Locked-out Users [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 27, - "i": "21", - "w": 20, - "x": 27, - "y": 39 - }, - "panelIndex": "21", - "panelRefName": "panel_20", - "title": "User Management Actions Distributions over Time [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { "embeddableConfig": {}, "gridData": { - "h": 38, + "h": 48, "i": "22", "w": 21, "x": 27, - "y": 66 + "y": 73 }, "panelIndex": "22", - "panelRefName": "panel_21", - "version": "7.3.1" + "panelRefName": "panel_17", + "version": "7.7.0" }, { "embeddableConfig": {}, @@ -346,25 +301,26 @@ "i": "23", "w": 48, "x": 0, - "y": 104 + "y": 121 }, "panelIndex": "23", - "panelRefName": "panel_22", - "version": "7.3.1" + "panelRefName": "panel_18", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 6, + "h": 9, "i": "24", "w": 9, "x": 9, - "y": 82 + "y": 96 }, "panelIndex": "24", - "panelRefName": "panel_23", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_19", + "version": "7.7.0" }, { "embeddableConfig": {}, @@ -373,11 +329,137 @@ "i": "25", "w": 9, "x": 9, - "y": 88 + "y": 105 }, "panelIndex": "25", + "panelRefName": "panel_20", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "20adcb1b-cebf-4a75-9bc4-eaeeee626c5e", + "w": 31, + "x": 17, + "y": 0 + }, + "panelIndex": "20adcb1b-cebf-4a75-9bc4-eaeeee626c5e", + "panelRefName": "panel_21", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-user-account": "#0A437C", + "deleted-user-account": "#82B5D8", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#052B51", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE" + }, + "vis": { + "colors": { + "added-user-account": "#0A437C", + "deleted-user-account": "#82B5D8", + "disabled-user-account": "#BADFF4", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#052B51", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE" + } + } + }, + "gridData": { + "h": 19, + "i": "8aad73ff-37b1-487a-a3f1-b80b93618ac4", + "w": 18, + "x": 0, + "y": 7 + }, + "panelIndex": "8aad73ff-37b1-487a-a3f1-b80b93618ac4", + "panelRefName": "panel_22", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "18cc78ac-3f77-4f54-b351-cb94873cae3f", + "w": 14, + "x": 18, + "y": 7 + }, + "panelIndex": "18cc78ac-3f77-4f54-b351-cb94873cae3f", + "panelRefName": "panel_23", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d", + "w": 16, + "x": 32, + "y": 7 + }, + "panelIndex": "75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d", "panelRefName": "panel_24", - "version": "7.3.1" + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Actions performed over Users [Winlogbeat Security]", + "vis": null + }, + "gridData": { + "h": 20, + "i": "f443b5b0-ada7-426f-ae2f-46573f94f24f", + "w": 48, + "x": 0, + "y": 26 + }, + "panelIndex": "f443b5b0-ada7-426f-ae2f-46573f94f24f", + "panelRefName": "panel_25", + "title": "Actions performed over Users [Winlogbeat Security]", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-user-account": "#0A437C", + "deleted-user-account": "#82B5D8", + "disabled-user-account": "#BADFF4", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#2F575E", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE" + }, + "vis": { + "colors": { + "added-user-account": "#0A437C", + "deleted-user-account": "#82B5D8", + "disabled-user-account": "#BADFF4", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#2F575E", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE", + "unlocked-user-account": "#0A437C" + } + } + }, + "gridData": { + "h": 27, + "i": "820c0311-d378-49dc-a614-e0fed2254603", + "w": 21, + "x": 27, + "y": 46 + }, + "panelIndex": "820c0311-d378-49dc-a614-e0fed2254603", + "panelRefName": "panel_26", + "version": "7.7.0" } ], "timeRestore": false, @@ -395,129 +477,139 @@ "type": "visualization" }, { - "id": "833e0110-b9ec-11e9-b6a2-c9b4015c4baf", + "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", "name": "panel_1", "type": "visualization" }, { - "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", + "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", "name": "panel_2", "type": "visualization" }, { - "id": "b2cecf10-bcd3-11e9-b6a2-c9b4015c4baf", + "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", "name": "panel_3", "type": "visualization" }, { - "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", "name": "panel_4", "type": "visualization" }, { - "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", "name": "panel_5", "type": "visualization" }, { - "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "102efd20-bcdd-11e9-b6a2-c9b4015c4baf", "name": "panel_6", "type": "visualization" }, { - "id": "dce77e60-bcd7-11e9-b6a2-c9b4015c4baf", + "id": "855957d0-bcdd-11e9-b6a2-c9b4015c4baf", "name": "panel_7", "type": "visualization" }, { - "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", + "id": "c359b020-bcdd-11e9-b6a2-c9b4015c4baf", "name": "panel_8", "type": "visualization" }, { - "id": "102efd20-bcdd-11e9-b6a2-c9b4015c4baf", + "id": "0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", "name": "panel_9", "type": "visualization" }, { - "id": "855957d0-bcdd-11e9-b6a2-c9b4015c4baf", + "id": "568a8130-bcde-11e9-b6a2-c9b4015c4baf", "name": "panel_10", "type": "visualization" }, { - "id": "c359b020-bcdd-11e9-b6a2-c9b4015c4baf", + "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", "name": "panel_11", "type": "visualization" }, { - "id": "0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", + "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", "name": "panel_12", "type": "visualization" }, { - "id": "568a8130-bcde-11e9-b6a2-c9b4015c4baf", + "id": "84502430-bce8-11e9-b6a2-c9b4015c4baf", "name": "panel_13", "type": "visualization" }, { - "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", + "id": "ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", "name": "panel_14", "type": "visualization" }, { - "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", + "id": "5d92b100-bce8-11e9-b6a2-c9b4015c4baf", "name": "panel_15", "type": "visualization" }, { - "id": "84502430-bce8-11e9-b6a2-c9b4015c4baf", + "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", "name": "panel_16", "type": "visualization" }, { - "id": "ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", + "id": "7e178c80-fee1-11e9-8405-516218e3d268", "name": "panel_17", - "type": "visualization" + "type": "search" }, { - "id": "5d92b100-bce8-11e9-b6a2-c9b4015c4baf", + "id": "324686c0-fefb-11e9-8405-516218e3d268", "name": "panel_18", - "type": "visualization" + "type": "search" }, { - "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", + "id": "5e19ff80-231c-11ea-8405-516218e3d268", "name": "panel_19", "type": "visualization" }, { - "id": "8f723a10-bd97-11e9-b9c5-fddc96658612", + "id": "fa876300-231a-11ea-8405-516218e3d268", "name": "panel_20", "type": "visualization" }, { - "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", "name": "panel_21", - "type": "search" + "type": "visualization" }, { - "id": "324686c0-fefb-11e9-8405-516218e3d268", + "id": "26877510-9b72-11ea-87e4-49f31ec44891", "name": "panel_22", - "type": "search" + "type": "visualization" }, { - "id": "5e19ff80-231c-11ea-8405-516218e3d268", + "id": "5c9ee410-9b74-11ea-87e4-49f31ec44891", "name": "panel_23", "type": "visualization" }, { - "id": "fa876300-231a-11ea-8405-516218e3d268", + "id": "117f5a30-9b71-11ea-87e4-49f31ec44891", "name": "panel_24", "type": "visualization" + }, + { + "id": "aa31c9d0-9b75-11ea-87e4-49f31ec44891", + "name": "panel_25", + "type": "visualization" + }, + { + "id": "caf4d2b0-9b76-11ea-87e4-49f31ec44891", + "name": "panel_26", + "type": "visualization" } ], "type": "dashboard", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzcwLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzg2LDFd" }, { "attributes": { @@ -538,7 +630,7 @@ "aggs": [], "params": { "fontSize": 10, - "markdown": "# **User Management Events**\n\n#### This dashboard shows information about User Management Events collected by winlogbeat\n#\n#\n#\nEvent | Description\n-- | --\n4720 | A user account was created\n4722 | A user account was enabled\n4723 | An attempt was made to change an account's password\n4724 | An attempt was made to reset an account's password\n4725 | An user account was disabled\n4726 | An user account was deleted\n4738 | An user account was changed\n4740 | An user account was locked out\n4767 | An account was unlocked\n4781 | The name of an account was changed", + "markdown": "# **User Management Events**\n\n#### This dashboard shows information about User Management Events collected by winlogbeat\n", "openLinksInNewTab": false }, "title": "User Management Events - Description [Winlogbeat Security]", @@ -547,12 +639,12 @@ }, "id": "2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzcxLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzg3LDFd" }, { "attributes": { @@ -570,112 +662,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4765", - "4766", - "4767", - "4780", - "4781", - "4794", - "5376", - "5377" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377" + "params": { + "query": "4720" + }, + "type": "phrase", + "value": "4720" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4765" - } - }, - { - "match_phrase": { - "event.code": "4766" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4780" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4794" - } - }, - { - "match_phrase": { - "event.code": "5376" - } - }, - { - "match_phrase": { - "event.code": "5377" - } - } - ] + "match": { + "event.code": { + "query": "4720", + "type": "phrase" + } } } } @@ -687,8 +685,17 @@ } } }, - "title": "User Management Events - Event Actions - Donut [Winlogbeat Security]", - "uiStateJSON": {}, + "title": "Users Created - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, "version": 1, "visState": { "aggs": [ @@ -703,22 +710,55 @@ "enabled": true, "id": "2", "params": { - "field": "event.action", + "customLabel": "Created User", + "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", "size": 5 }, - "schema": "segment", + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performer LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", "type": "terms" } ], "params": { - "addLegend": true, - "addTooltip": true, "dimensions": { "buckets": [ { @@ -733,34 +773,62 @@ } }, "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], - "metric": { - "accessor": 1, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } + "metrics": [ + { + "accessor": 3, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] }, - "isDonut": true, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null }, - "legendPosition": "right", - "type": "pie" + "totalFunc": "sum" }, - "title": "User Management Events - Event Actions - Donut [Winlogbeat Security]", - "type": "pie" + "title": "Users Created - Table [Winlogbeat Security]", + "type": "table" } }, - "id": "833e0110-b9ec-11e9-b6a2-c9b4015c4baf", + "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -775,8 +843,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzcyLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzg4LDFd" }, { "attributes": { @@ -795,15 +863,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4720" + "query": "4722" }, "type": "phrase", - "value": "4720" + "value": "4722" }, "query": { "match": { "event.code": { - "query": "4720", + "query": "4722", "type": "phrase" } } @@ -817,7 +885,7 @@ } } }, - "title": "Users Created - Table [Winlogbeat Security]", + "title": "Users Enabled - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -842,7 +910,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Created User", + "customLabel": "Enabled User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -876,7 +944,7 @@ "enabled": true, "id": "4", "params": { - "customLabel": "Performer LogonID", + "customLabel": "Performer LogonId", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -954,13 +1022,13 @@ }, "totalFunc": "sum" }, - "title": "Users Created - Table [Winlogbeat Security]", + "title": "Users Enabled - Table [Winlogbeat Security]", "type": "table" } }, - "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", + "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -975,8 +1043,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzczLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzg5LDFd" }, { "attributes": { @@ -994,112 +1062,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4765", - "4766", - "4767", - "4780", - "4781", - "4794", - "5376", - "5377" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377" + "params": { + "query": "4725" + }, + "type": "phrase", + "value": "4725" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4765" - } - }, - { - "match_phrase": { - "event.code": "4766" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4780" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4794" - } - }, - { - "match_phrase": { - "event.code": "5376" - } - }, - { - "match_phrase": { - "event.code": "5377" - } - } - ] + "match": { + "event.code": { + "query": "4725", + "type": "phrase" + } } } } @@ -1111,7 +1085,7 @@ } } }, - "title": "User Management Events - Event Actions - Table [Winlogbeat Security]", + "title": "Users Disabled - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1136,15 +1110,15 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Event Short Description", - "field": "event.action", + "customLabel": "Disabled User", + "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 10 + "size": 100 }, "schema": "bucket", "type": "terms" @@ -1153,8 +1127,25 @@ "enabled": true, "id": "3", "params": { - "customLabel": "Event Code", - "field": "event.code", + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performer LogonId", + "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -1195,11 +1186,24 @@ } }, "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], "metrics": [ { - "accessor": 2, + "accessor": 3, "aggType": "count", "format": { "id": "number" @@ -1218,13 +1222,13 @@ }, "totalFunc": "sum" }, - "title": "User Management Events - Event Actions - Table [Winlogbeat Security]", + "title": "Users Disabled - Table [Winlogbeat Security]", "type": "table" } }, - "id": "b2cecf10-bcd3-11e9-b6a2-c9b4015c4baf", + "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1239,8 +1243,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc0LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzkwLDFd" }, { "attributes": { @@ -1259,15 +1263,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4722" + "query": "4726" }, "type": "phrase", - "value": "4722" + "value": "4726" }, "query": { "match": { "event.code": { - "query": "4722", + "query": "4726", "type": "phrase" } } @@ -1281,7 +1285,7 @@ } } }, - "title": "Users Enabled - Table [Winlogbeat Security]", + "title": "Users Deleted - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1306,7 +1310,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Enabled User", + "customLabel": "Deleted User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1340,7 +1344,7 @@ "enabled": true, "id": "4", "params": { - "customLabel": "Performer LogonId", + "customLabel": "Performed LogonId", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1418,13 +1422,13 @@ }, "totalFunc": "sum" }, - "title": "Users Enabled - Table [Winlogbeat Security]", + "title": "Users Deleted - Table [Winlogbeat Security]", "type": "table" } }, - "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1439,8 +1443,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc1LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzkxLDFd" }, { "attributes": { @@ -1458,18 +1462,28 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": { - "query": "4725" - }, - "type": "phrase", - "value": "4725" + "params": [ + "4723", + "4724" + ], + "type": "phrases", + "value": "4723, 4724" }, "query": { - "match": { - "event.code": { - "query": "4725", - "type": "phrase" - } + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + } + ] } } } @@ -1481,7 +1495,7 @@ } } }, - "title": "Users Disabled - Table [Winlogbeat Security]", + "title": "Users Password Changes - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1506,7 +1520,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Disabled User", + "customLabel": "Password Change to", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1618,13 +1632,13 @@ }, "totalFunc": "sum" }, - "title": "Users Disabled - Table [Winlogbeat Security]", + "title": "Users Password Changes - Table [Winlogbeat Security]", "type": "table" } }, - "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1639,8 +1653,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc2LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzkyLDFd" }, { "attributes": { @@ -1659,15 +1673,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4726" + "query": "4720" }, "type": "phrase", - "value": "4726" + "value": "4720" }, "query": { "match": { "event.code": { - "query": "4726", + "query": "4720", "type": "phrase" } } @@ -1681,150 +1695,69 @@ } } }, - "title": "Users Deleted - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, + "title": "Users Created - Simple Metric [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Deleted User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", "params": { - "customLabel": "Performed LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 + "customLabel": "Users Created" }, - "schema": "bucket", - "type": "terms" + "schema": "metric", + "type": "count" } ], "params": { + "addLegend": false, + "addTooltip": true, "dimensions": { - "buckets": [ + "metrics": [ { "accessor": 0, - "aggType": "terms", "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } + "id": "number", + "params": {} }, - "params": {} - }, + "type": "vis_dimension" + } + ] + }, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "from": 0, + "to": 10000, + "type": "range" } ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false }, - "totalFunc": "sum" + "type": "metric" }, - "title": "Users Deleted - Table [Winlogbeat Security]", - "type": "table" + "title": "Users Created - Simple Metric [Winlogbeat Security]", + "type": "metric" } }, - "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "102efd20-bcdd-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1839,8 +1772,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc3LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzkzLDFd" }, { "attributes": { @@ -1858,112 +1791,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4765", - "4766", - "4767", - "4780", - "4781", - "4794", - "5376", - "5377" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377" + "params": { + "query": "4722" + }, + "type": "phrase", + "value": "4722" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4765" - } - }, - { - "match_phrase": { - "event.code": "4766" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4780" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4794" - } - }, - { - "match_phrase": { - "event.code": "5376" - } - }, - { - "match_phrase": { - "event.code": "5377" - } - } - ] + "match": { + "event.code": { + "query": "4722", + "type": "phrase" + } } } } @@ -1975,140 +1814,70 @@ } } }, - "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "defaultColors": { - "0 - 14": "rgb(247,251,255)", - "14 - 28": "rgb(198,219,239)", - "28 - 42": "rgb(107,174,214)", - "42 - 55": "rgb(33,113,181)" - } - } - }, + "title": "Users Enabled - Simple Metric [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Target User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 15 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", "params": { - "customLabel": "Operation", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 + "customLabel": "Users Enabled", + "field": "user.name" }, - "schema": "group", - "type": "terms" + "schema": "metric", + "type": "cardinality" } ], "params": { - "addLegend": true, + "addLegend": false, "addTooltip": true, - "colorSchema": "Blues", - "colorsNumber": 4, - "colorsRange": [], "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - "y": [ + "metrics": [ { - "accessor": 2, - "aggType": "count", + "accessor": 0, "format": { - "id": "number" + "id": "number", + "params": {} }, - "params": {} + "type": "vis_dimension" } ] }, - "enableHover": false, - "invertColors": false, - "legendPosition": "right", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": true - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" }, - "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", - "type": "heatmap" + "title": "Users Enabled - Simple Metric [Winlogbeat Security]", + "type": "metric" } }, - "id": "dce77e60-bcd7-11e9-b6a2-c9b4015c4baf", + "id": "855957d0-bcdd-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2123,8 +1892,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc4LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk0LDFd" }, { "attributes": { @@ -2142,28 +1911,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4723", - "4724" - ], - "type": "phrases", - "value": "4723, 4724" + "params": { + "query": "4726" + }, + "type": "phrase", + "value": "4726" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - } - ] + "match": { + "event.code": { + "query": "4726", + "type": "phrase" + } } } } @@ -2175,150 +1934,69 @@ } } }, - "title": "Users Password Changes - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, + "title": "Users Deleted - Simple Metric [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Password Change to", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 + "customLabel": "Deleted Users" }, - "schema": "bucket", - "type": "terms" + "schema": "metric", + "type": "count" } ], "params": { + "addLegend": false, + "addTooltip": true, "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], "metrics": [ { - "accessor": 3, - "aggType": "count", + "accessor": 0, "format": { - "id": "number" + "id": "number", + "params": {} }, - "params": {} + "type": "vis_dimension" } ] }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false }, - "totalFunc": "sum" + "type": "metric" }, - "title": "Users Password Changes - Table [Winlogbeat Security]", - "type": "table" + "title": "Users Deleted - Simple Metric [Winlogbeat Security]", + "type": "metric" } }, - "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", + "id": "c359b020-bcdd-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2333,8 +2011,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc5LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk1LDFd" }, { "attributes": { @@ -2353,15 +2031,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4720" + "query": "4725" }, "type": "phrase", - "value": "4720" + "value": "4725" }, "query": { "match": { "event.code": { - "query": "4720", + "query": "4725", "type": "phrase" } } @@ -2375,7 +2053,7 @@ } } }, - "title": "Users Created - Simple Metric [Winlogbeat Security]", + "title": "Users Disabled - Simple Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -2384,10 +2062,11 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Users Created" + "customLabel": "Disabled Users", + "field": "user.name" }, "schema": "metric", - "type": "count" + "type": "cardinality" } ], "params": { @@ -2431,13 +2110,13 @@ }, "type": "metric" }, - "title": "Users Created - Simple Metric [Winlogbeat Security]", + "title": "Users Disabled - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "102efd20-bcdd-11e9-b6a2-c9b4015c4baf", + "id": "0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2452,8 +2131,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzgwLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk2LDFd" }, { "attributes": { @@ -2471,18 +2150,28 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": { - "query": "4722" - }, - "type": "phrase", - "value": "4722" + "params": [ + "4723", + "4724" + ], + "type": "phrases", + "value": "4723, 4724" }, "query": { - "match": { - "event.code": { - "query": "4722", - "type": "phrase" - } + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + } + ] } } } @@ -2494,7 +2183,7 @@ } } }, - "title": "Users Enabled - Simple Metric [Winlogbeat Security]", + "title": "Users Password Reset / Changes [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -2503,11 +2192,10 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Users Enabled", - "field": "user.name" + "customLabel": "Password Changes" }, "schema": "metric", - "type": "cardinality" + "type": "count" } ], "params": { @@ -2551,13 +2239,13 @@ }, "type": "metric" }, - "title": "Users Enabled - Simple Metric [Winlogbeat Security]", + "title": "Users Password Reset / Changes [Winlogbeat Security]", "type": "metric" } }, - "id": "855957d0-bcdd-11e9-b6a2-c9b4015c4baf", + "id": "568a8130-bcde-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2572,8 +2260,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzgxLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk3LDFd" }, { "attributes": { @@ -2592,15 +2280,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4726" + "query": "4767" }, "type": "phrase", - "value": "4726" + "value": "4767" }, "query": { "match": { "event.code": { - "query": "4726", + "query": "4767", "type": "phrase" } } @@ -2614,69 +2302,150 @@ } } }, - "title": "Users Deleted - Simple Metric [Winlogbeat Security]", - "uiStateJSON": {}, + "title": "Unlocked Users - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": { - "customLabel": "Deleted Users" - }, + "params": {}, "schema": "metric", "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Unlocked User", + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performer Logonid", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" } ], "params": { - "addLegend": false, - "addTooltip": true, "dimensions": { - "metrics": [ + "buckets": [ { "accessor": 0, + "aggType": "terms", "format": { - "id": "number", - "params": {} + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ + "params": {} + }, { - "from": 0, - "to": 10000, - "type": "range" + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false + "metrics": [ + { + "accessor": 3, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] }, - "type": "metric" + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" }, - "title": "Users Deleted - Simple Metric [Winlogbeat Security]", - "type": "metric" + "title": "Unlocked Users - Table [Winlogbeat Security]", + "type": "table" } }, - "id": "c359b020-bcdd-11e9-b6a2-c9b4015c4baf", + "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2691,8 +2460,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzgyLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk4LDFd" }, { "attributes": { @@ -2711,15 +2480,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4725" + "query": "4738" }, "type": "phrase", - "value": "4725" + "value": "4738" }, "query": { "match": { "event.code": { - "query": "4725", + "query": "4738", "type": "phrase" } } @@ -2733,36 +2502,239 @@ } } }, - "title": "Users Disabled - Simple Metric [Winlogbeat Security]", - "uiStateJSON": {}, + "title": "Users Changes Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", "params": { - "customLabel": "Disabled Users", - "field": "user.name" + "customLabel": "Changed User", + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 }, - "schema": "metric", - "type": "cardinality" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performer LogonId", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 3, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Users Changes Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk5LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "4740" + ], + "type": "phrases", + "value": "4740" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4740" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Users Unlocks - Simple Metric [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Users Locked Out" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "dimensions": { + "metrics": [ + { + "accessor": 0, + "format": { + "id": "number", + "params": {} + }, + "type": "vis_dimension" + } + ] }, "metric": { "colorSchema": "Green to Red", @@ -2790,13 +2762,13 @@ }, "type": "metric" }, - "title": "Users Disabled - Simple Metric [Winlogbeat Security]", + "title": "Users Unlocks - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", + "id": "84502430-bce8-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2811,8 +2783,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzgzLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwMCwxXQ==" }, { "attributes": { @@ -2831,11 +2803,10 @@ "key": "event.code", "negate": false, "params": [ - "4723", - "4724" + "4767" ], "type": "phrases", - "value": "4723, 4724" + "value": "4767" }, "query": { "bool": { @@ -2843,12 +2814,7 @@ "should": [ { "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" + "event.code": "4767" } } ] @@ -2863,7 +2829,7 @@ } } }, - "title": "Users Password Reset / Changes [Winlogbeat Security]", + "title": "Unlocked Users - Simple Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -2872,7 +2838,7 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Password Changes" + "customLabel": "Users Unlocks" }, "schema": "metric", "type": "count" @@ -2919,13 +2885,13 @@ }, "type": "metric" }, - "title": "Users Password Reset / Changes [Winlogbeat Security]", + "title": "Unlocked Users - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "568a8130-bcde-11e9-b6a2-c9b4015c4baf", + "id": "ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2940,8 +2906,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg0LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwMSwxXQ==" }, { "attributes": { @@ -2959,18 +2925,22 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": { - "query": "4767" - }, - "type": "phrase", - "value": "4767" + "params": [ + "4738" + ], + "type": "phrases", + "value": "4738" }, "query": { - "match": { - "event.code": { - "query": "4767", - "type": "phrase" - } + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4738" + } + } + ] } } } @@ -2982,150 +2952,69 @@ } } }, - "title": "Unlocked Users - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, + "title": "Users Changes - Simple Metric [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Unlocked User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", "params": { - "customLabel": "Performer Logonid", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 + "customLabel": "Changes in Users" }, - "schema": "bucket", - "type": "terms" + "schema": "metric", + "type": "count" } ], "params": { + "addLegend": false, + "addTooltip": true, "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], "metrics": [ { - "accessor": 3, - "aggType": "count", + "accessor": 0, "format": { - "id": "number" + "id": "number", + "params": {} }, - "params": {} + "type": "vis_dimension" } ] }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000, + "type": "range" + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false }, - "totalFunc": "sum" + "type": "metric" }, - "title": "Unlocked Users - Table [Winlogbeat Security]", - "type": "table" + "title": "Users Changes - Simple Metric [Winlogbeat Security]", + "type": "metric" } }, - "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", + "id": "5d92b100-bce8-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -3140,8 +3029,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg1LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwMiwxXQ==" }, { "attributes": { @@ -3160,15 +3049,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4738" + "query": "4740" }, "type": "phrase", - "value": "4738" + "value": "4740" }, "query": { "match": { "event.code": { - "query": "4738", + "query": "4740", "type": "phrase" } } @@ -3182,7 +3071,7 @@ } } }, - "title": "Users Changes Table [Winlogbeat Security]", + "title": "Users Locked Out - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -3207,7 +3096,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Changed User", + "customLabel": "Locked User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -3319,13 +3208,13 @@ }, "totalFunc": "sum" }, - "title": "Users Changes Table [Winlogbeat Security]", + "title": "Users Locked Out - Table [Winlogbeat Security]", "type": "table" } }, - "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", + "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -3340,12 +3229,20 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg2LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwMywxXQ==" }, { "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], "description": "", + "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -3360,10 +3257,10 @@ "key": "event.code", "negate": false, "params": [ - "4740" + "4624" ], "type": "phrases", - "value": "4740" + "value": "4624" }, "query": { "bool": { @@ -3371,7 +3268,7 @@ "should": [ { "match_phrase": { - "event.code": "4740" + "event.code": "4624" } } ] @@ -3379,76 +3276,27 @@ } } ], + "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" - } + }, + "version": true } }, - "title": "Users Unlocks - Simple Metric [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Locked Out" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "Users Unlocks - Simple Metric [Winlogbeat Security]", - "type": "metric" - } + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Winlogbeat Security]", + "version": 1 }, - "id": "84502430-bce8-11e9-b6a2-c9b4015c4baf", + "id": "7e178c80-fee1-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "search": "7.4.0" }, "references": [ { @@ -3462,20 +3310,30 @@ "type": "index-pattern" } ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg3LDFd" + "type": "search", + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MywxXQ==" }, { "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, + "columns": [ + "event.action", + "winlog.event_data.TargetUserName", + "user.domain", + "user.name", + "winlog.event_data.SubjectDomainName", + "winlog.logon.id", + "related.user" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, "meta": { "alias": null, "disabled": false, @@ -3483,95 +3341,106 @@ "key": "event.code", "negate": false, "params": [ - "4767" + "4720", + "4722", + "4723", + "4724", + "4725", + "4726", + "4738", + "4740", + "4767", + "4781", + "4798" ], "type": "phrases", - "value": "4767" + "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" }, "query": { "bool": { "minimum_should_match": 1, "should": [ + { + "match_phrase": { + "event.code": "4720" + } + }, + { + "match_phrase": { + "event.code": "4722" + } + }, + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + }, + { + "match_phrase": { + "event.code": "4725" + } + }, + { + "match_phrase": { + "event.code": "4726" + } + }, + { + "match_phrase": { + "event.code": "4738" + } + }, + { + "match_phrase": { + "event.code": "4740" + } + }, { "match_phrase": { "event.code": "4767" } + }, + { + "match_phrase": { + "event.code": "4781" + } + }, + { + "match_phrase": { + "event.code": "4798" + } } ] } } } ], + "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { - "language": "kuery", + "language": "lucene", "query": "" - } + }, + "version": true } }, - "title": "Unlocked Users - Simple Metric [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Unlocks" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "Unlocked Users - Simple Metric [Winlogbeat Security]", - "type": "metric" - } + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User management Details - Search [Winlogbeat Security]", + "version": 1 }, - "id": "ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", + "id": "324686c0-fefb-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "search": "7.4.0" }, "references": [ { @@ -3585,9 +3454,9 @@ "type": "index-pattern" } ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg4LDFd" + "type": "search", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwNSwxXQ==" }, { "attributes": { @@ -3606,10 +3475,10 @@ "key": "event.code", "negate": false, "params": [ - "4738" + "4781" ], "type": "phrases", - "value": "4738" + "value": "4781" }, "query": { "bool": { @@ -3617,7 +3486,7 @@ "should": [ { "match_phrase": { - "event.code": "4738" + "event.code": "4781" } } ] @@ -3632,7 +3501,7 @@ } } }, - "title": "Users Changes - Simple Metric [Winlogbeat Security]", + "title": "Users Renamed - Simple Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3641,7 +3510,7 @@ "enabled": true, "id": "1", "params": { - "customLabel": "Changes in Users" + "customLabel": "Renamed Users" }, "schema": "metric", "type": "count" @@ -3688,13 +3557,13 @@ }, "type": "metric" }, - "title": "Users Changes - Simple Metric [Winlogbeat Security]", + "title": "Users Renamed - Simple Metric [Winlogbeat Security]", "type": "metric" } }, - "id": "5d92b100-bce8-11e9-b6a2-c9b4015c4baf", + "id": "5e19ff80-231c-11ea-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -3709,8 +3578,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg5LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwNiwxXQ==" }, { "attributes": { @@ -3729,15 +3598,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4740" + "query": "4781" }, "type": "phrase", - "value": "4740" + "value": "4781" }, "query": { "match": { "event.code": { - "query": "4740", + "query": "4781", "type": "phrase" } } @@ -3751,7 +3620,7 @@ } } }, - "title": "Users Locked Out - Table [Winlogbeat Security]", + "title": "Users Renamed - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -3776,8 +3645,8 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Locked User", - "field": "winlog.event_data.TargetUserName", + "customLabel": "Old User Name", + "field": "winlog.event_data.OldTargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -3888,13 +3757,13 @@ }, "totalFunc": "sum" }, - "title": "Users Locked Out - Table [Winlogbeat Security]", + "title": "Users Renamed - Table [Winlogbeat Security]", "type": "table" } }, - "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", + "id": "fa876300-231a-11ea-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -3909,113 +3778,58 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkwLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwNywxXQ==" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4767", - "4781", - "4798" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4798" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { "language": "kuery", "query": "" } } }, - "title": "Event Distribution in time [Winlogbeat Security]", + "title": "Dashboard links - Simple [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat General ECS Dashboard](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/01c54730-fee6-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links - Simple [Winlogbeat Security]", + "type": "markdown" + } + }, + "id": "d770b040-9b35-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:29.252Z", + "version": "WzE3NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "User Management Actions [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -4030,24 +3844,6 @@ { "enabled": true, "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "timeRange": { - "from": "now-45d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", "params": { "field": "event.action", "missingBucket": false, @@ -4056,408 +3852,226 @@ "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 5 + "size": 15 }, - "schema": "group", + "schema": "segment", "type": "terms" } ], "params": { "addLegend": true, - "addTimeMarker": false, "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "filters", - "format": {}, - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "YYYY-MM-DD HH:mm" - } - }, - "params": { - "bounds": { - "max": "2019-11-04T14:10:39.628Z", - "min": "2019-09-20T13:10:39.628Z" - }, - "date": true, - "format": "YYYY-MM-DD HH:mm", - "interval": "PT12H" - } - }, - "y": [ - { - "accessor": 2, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "grid": { - "categoryLines": false - }, + "isDonut": false, "labels": { - "show": true + "last_level": true, + "show": false, + "truncate": 100, + "values": true }, - "legendPosition": "bottom", - "seriesParams": [ - { - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "mode": "stacked", - "show": "true", - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] + "legendPosition": "right", + "type": "pie" }, - "title": "Event Distribution in time [Winlogbeat Security]", - "type": "histogram" + "title": "User Management Actions [Winlogbeat Security]", + "type": "pie" } }, - "id": "8f723a10-bd97-11e9-b9c5-fddc96658612", + "id": "26877510-9b72-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkxLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwOSwxXQ==" }, { "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4624" - ], - "type": "phrases", - "value": "4624" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4624" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Winlogbeat Security]", - "version": 1 - }, - "id": "7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" + "savedSearchRefName": "search_0", + "title": "User Event Actions - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "event.action", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "event.code", + "field": "event.code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "User Event Actions - Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "5c9ee410-9b74-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], - "type": "search", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkyLDFd" + "type": "visualization", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMCwxXQ==" }, { "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4767", - "4781" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { - "language": "lucene", + "language": "kuery", "query": "" - }, - "version": true + } } }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Winlogbeat Security]", - "version": 1 + "savedSearchRefName": "search_0", + "title": "Target Users [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Target Users [Winlogbeat Security]", + "type": "tagcloud" + } }, - "id": "324686c0-fefb-11e9-8405-516218e3d268", + "id": "117f5a30-9b71-11ea-87e4-49f31ec44891", "migrationVersion": { - "search": "7.4.0" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], - "type": "search", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkzLDFd" + "type": "visualization", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMSwxXQ==" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4781" - ], - "type": "phrases", - "value": "4781" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4781" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { "language": "kuery", "query": "" } } }, - "title": "Users Renamed - Simple Metric [Winlogbeat Security]", + "savedSearchRefName": "search_0", + "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -4465,128 +4079,109 @@ { "enabled": true, "id": "1", - "params": { - "customLabel": "Renamed Users" - }, + "params": {}, "schema": "metric", "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Target User", + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" } ], "params": { - "addLegend": false, + "addLegend": true, "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" + "colorSchema": "Blues", + "colorsNumber": 4, + "colorsRange": [], + "enableHover": false, + "invertColors": false, + "legendPosition": "right", + "percentageMode": false, + "setColorRange": false, + "times": [], + "type": "heatmap", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "black", + "overwriteColor": false, + "rotate": 0, + "show": true + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] }, - "title": "Users Renamed - Simple Metric [Winlogbeat Security]", - "type": "metric" + "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", + "type": "heatmap" } }, - "id": "5e19ff80-231c-11ea-8405-516218e3d268", + "id": "aa31c9d0-9b75-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzk0LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMiwxXQ==" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4781" - }, - "type": "phrase", - "value": "4781" - }, - "query": { - "match": { - "event.code": { - "query": "4781", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { "language": "kuery", "query": "" } } }, - "title": "Users Renamed - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, + "savedSearchRefName": "search_0", + "title": "Event Distribution in time [Winlogbeat Security]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ @@ -4601,142 +4196,134 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Old User Name", - "field": "winlog.event_data.OldTargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-7d", + "to": "now" + }, + "useNormalizedEsInterval": true }, - "schema": "bucket", - "type": "terms" + "schema": "segment", + "type": "date_histogram" }, { "enabled": true, "id": "3", "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", + "field": "event.action", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 5 + "size": 15 }, - "schema": "bucket", + "schema": "group", "type": "terms" } ], "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "position": "bottom", + "scale": { + "type": "linear" }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + "labels": { + "show": false }, - "totalFunc": "sum" + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] }, - "title": "Users Renamed - Table [Winlogbeat Security]", - "type": "table" + "title": "Event Distribution in time [Winlogbeat Security]", + "type": "histogram" } }, - "id": "fa876300-231a-11ea-8405-516218e3d268", + "id": "caf4d2b0-9b76-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzk1LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMywxXQ==" } ], - "version": "7.5.2" + "version": "7.7.0" } diff --git a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/71f720f0-ff18-11e9-8405-516218e3d268.json b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-management.json similarity index 77% rename from x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/71f720f0-ff18-11e9-8405-516218e3d268.json rename to x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-management.json index 0d0253235f6..eb8c9344561 100644 --- a/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/71f720f0-ff18-11e9-8405-516218e3d268.json +++ b/x-pack/winlogbeat/module/security/_meta/kibana/7/dashboard/winlogbeat-security-user-management.json @@ -2,7 +2,7 @@ "objects": [ { "attributes": { - "description": "Includes Visual Builder Metric Interval size 90 days", + "description": "User management activity.", "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -15,13 +15,15 @@ }, "optionsJSON": { "hidePanelTitles": false, - "useMargins": true + "useMargins": false }, "panelsJSON": [ { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { - "h": 19, + "h": 8, "i": "1", "w": 17, "x": 0, @@ -29,190 +31,135 @@ }, "panelIndex": "1", "panelRefName": "panel_0", - "title": "", - "version": "7.3.0" + "version": "7.7.0" }, { "embeddableConfig": { - "vis": { - "legendOpen": false - } - }, - "gridData": { - "h": 19, - "i": "2", - "w": 18, - "x": 17, - "y": 0 + "title": "Created Users [Winlogbeat Security]" }, - "panelIndex": "2", - "panelRefName": "panel_1", - "title": "User Management Actions [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, "gridData": { "h": 16, "i": "3", "w": 9, "x": 0, - "y": 51 + "y": 56 }, "panelIndex": "3", - "panelRefName": "panel_2", + "panelRefName": "panel_1", "title": "Created Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, - "gridData": { - "h": 19, - "i": "4", - "w": 13, - "x": 35, - "y": 0 + "embeddableConfig": { + "title": "Enabled Users [Winlogbeat Security]" }, - "panelIndex": "4", - "panelRefName": "panel_3", - "title": "Event Codes [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, "gridData": { "h": 16, "i": "5", "w": 9, "x": 9, - "y": 51 + "y": 56 }, "panelIndex": "5", - "panelRefName": "panel_4", + "panelRefName": "panel_2", "title": "Enabled Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Disabled Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "6", "w": 9, "x": 0, - "y": 74 + "y": 79 }, "panelIndex": "6", - "panelRefName": "panel_5", + "panelRefName": "panel_3", "title": "Disabled Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Deleted Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "7", "w": 9, "x": 18, - "y": 51 + "y": 56 }, "panelIndex": "7", - "panelRefName": "panel_6", + "panelRefName": "panel_4", "title": "Deleted Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { "embeddableConfig": { - "vis": { - "defaultColors": { - "0 - 4": "rgb(247,252,245)", - "12 - 16": "rgb(35,139,69)", - "4 - 8": "rgb(199,233,192)", - "8 - 12": "rgb(116,196,118)" - }, - "legendOpen": false - } - }, - "gridData": { - "h": 25, - "i": "8", - "w": 48, - "x": 0, - "y": 19 + "title": "Passwords Changes [Winlogbeat Security]" }, - "panelIndex": "8", - "panelRefName": "panel_7", - "title": "Actions performed over Users [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, "gridData": { "h": 16, "i": "9", "w": 9, "x": 18, - "y": 74 + "y": 79 }, "panelIndex": "9", - "panelRefName": "panel_8", + "panelRefName": "panel_5", "title": "Passwords Changes [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Unlocked Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "15", "w": 9, "x": 9, - "y": 74 + "y": 79 }, "panelIndex": "15", - "panelRefName": "panel_9", + "panelRefName": "panel_6", "title": "Unlocked Users [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Users Changes [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "16", "w": 9, "x": 18, - "y": 97 + "y": 102 }, "panelIndex": "16", - "panelRefName": "panel_10", + "panelRefName": "panel_7", "title": "Users Changes [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "Locked-out Users [Winlogbeat Security]" + }, "gridData": { "h": 16, "i": "20", "w": 9, "x": 0, - "y": 97 + "y": 102 }, "panelIndex": "20", - "panelRefName": "panel_11", + "panelRefName": "panel_8", "title": "Locked-out Users [Winlogbeat Security]", - "version": "7.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 23, - "i": "21", - "w": 21, - "x": 27, - "y": 44 - }, - "panelIndex": "21", - "panelRefName": "panel_12", - "title": "User Management Actions Distributions over Time [Winlogbeat Security]", - "version": "7.3.0" + "version": "7.7.0" }, { "embeddableConfig": {}, @@ -221,11 +168,11 @@ "i": "22", "w": 21, "x": 27, - "y": 67 + "y": 72 }, "panelIndex": "22", - "panelRefName": "panel_13", - "version": "7.3.1" + "panelRefName": "panel_9", + "version": "7.7.0" }, { "embeddableConfig": {}, @@ -234,137 +181,146 @@ "i": "23", "w": 48, "x": 0, - "y": 113 + "y": 118 }, "panelIndex": "23", - "panelRefName": "panel_14", - "version": "7.3.1" + "panelRefName": "panel_10", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "24", "w": 9, "x": 0, - "y": 67 + "y": 72 }, "panelIndex": "24", - "panelRefName": "panel_15", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_11", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "25", "w": 9, "x": 9, - "y": 44 + "y": 49 }, "panelIndex": "25", - "panelRefName": "panel_16", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_12", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "26", "w": 9, "x": 18, - "y": 44 + "y": 49 }, "panelIndex": "26", - "panelRefName": "panel_17", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_13", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "27", "w": 9, "x": 0, - "y": 44 + "y": 49 }, "panelIndex": "27", - "panelRefName": "panel_18", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_14", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "28", "w": 9, "x": 9, - "y": 67 + "y": 72 }, "panelIndex": "28", - "panelRefName": "panel_19", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_15", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "29", "w": 9, "x": 18, - "y": 67 + "y": 72 }, "panelIndex": "29", - "panelRefName": "panel_20", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_16", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "30", "w": 9, "x": 0, - "y": 90 + "y": 95 }, "panelIndex": "30", - "panelRefName": "panel_21", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_17", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "31", "w": 9, "x": 18, - "y": 90 + "y": 95 }, "panelIndex": "31", - "panelRefName": "panel_22", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_18", + "version": "7.7.0" }, { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "" + }, "gridData": { "h": 7, "i": "32", "w": 9, "x": 9, - "y": 90 + "y": 95 }, "panelIndex": "32", - "panelRefName": "panel_23", - "title": "", - "version": "7.3.1" + "panelRefName": "panel_19", + "version": "7.7.0" }, { "embeddableConfig": {}, @@ -373,11 +329,137 @@ "i": "33", "w": 9, "x": 9, - "y": 97 + "y": 102 }, "panelIndex": "33", + "panelRefName": "panel_20", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 8, + "i": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", + "w": 31, + "x": 17, + "y": 0 + }, + "panelIndex": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", + "panelRefName": "panel_21", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-user-account": "#447EBC", + "deleted-user-account": "#82B5D8", + "disabled-user-account": "#82B5D8", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#2F575E", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE" + }, + "vis": { + "colors": { + "added-user-account": "#447EBC", + "deleted-user-account": "#82B5D8", + "disabled-user-account": "#82B5D8", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#2F575E", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE", + "unlocked-user-account": "#64B0C8" + } + } + }, + "gridData": { + "h": 16, + "i": "a2871661-98a8-489b-b615-e66ebe3b971a", + "w": 17, + "x": 0, + "y": 8 + }, + "panelIndex": "a2871661-98a8-489b-b615-e66ebe3b971a", + "panelRefName": "panel_22", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "e80fae4a-6087-41e1-b4b9-31802cb1e4bf", + "w": 18, + "x": 30, + "y": 8 + }, + "panelIndex": "e80fae4a-6087-41e1-b4b9-31802cb1e4bf", + "panelRefName": "panel_23", + "version": "7.7.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", + "w": 13, + "x": 17, + "y": 8 + }, + "panelIndex": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", "panelRefName": "panel_24", - "version": "7.3.1" + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Actions performed over Users [Winlogbeat Security]", + "vis": null + }, + "gridData": { + "h": 25, + "i": "29f54335-78db-4c49-a3e0-a641fd0099f6", + "w": 48, + "x": 0, + "y": 24 + }, + "panelIndex": "29f54335-78db-4c49-a3e0-a641fd0099f6", + "panelRefName": "panel_25", + "title": "Actions performed over Users [Winlogbeat Security]", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "colors": { + "added-user-account": "#0A437C", + "deleted-user-account": "#5195CE", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#052B51", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE" + }, + "vis": { + "colors": { + "added-user-account": "#0A437C", + "deleted-user-account": "#5195CE", + "disabled-user-account": "#82B5D8", + "enabled-user-account": "#0A50A1", + "modified-user-account": "#052B51", + "renamed-user-account": "#1F78C1", + "reset-password": "#5195CE" + } + } + }, + "gridData": { + "h": 23, + "i": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", + "w": 21, + "x": 27, + "y": 49 + }, + "panelIndex": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", + "panelRefName": "panel_26", + "version": "7.7.0" } ], "timeRestore": false, @@ -395,129 +477,139 @@ "type": "visualization" }, { - "id": "833e0110-b9ec-11e9-b6a2-c9b4015c4baf", + "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", "name": "panel_1", "type": "visualization" }, { - "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", + "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", "name": "panel_2", "type": "visualization" }, { - "id": "b2cecf10-bcd3-11e9-b6a2-c9b4015c4baf", + "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", "name": "panel_3", "type": "visualization" }, { - "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", "name": "panel_4", "type": "visualization" }, { - "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", "name": "panel_5", "type": "visualization" }, { - "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", "name": "panel_6", "type": "visualization" }, { - "id": "dce77e60-bcd7-11e9-b6a2-c9b4015c4baf", + "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", "name": "panel_7", "type": "visualization" }, { - "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", + "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", "name": "panel_8", "type": "visualization" }, { - "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", + "id": "7e178c80-fee1-11e9-8405-516218e3d268", "name": "panel_9", - "type": "visualization" + "type": "search" }, { - "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", + "id": "324686c0-fefb-11e9-8405-516218e3d268", "name": "panel_10", - "type": "visualization" + "type": "search" }, { - "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", + "id": "97c70300-ff1c-11e9-8405-516218e3d268", "name": "panel_11", "type": "visualization" }, { - "id": "8f723a10-bd97-11e9-b9c5-fddc96658612", + "id": "bf45dc50-ff1a-11e9-8405-516218e3d268", "name": "panel_12", "type": "visualization" }, { - "id": "7e178c80-fee1-11e9-8405-516218e3d268", + "id": "7322f9f0-ff1c-11e9-8405-516218e3d268", "name": "panel_13", - "type": "search" + "type": "visualization" }, { - "id": "324686c0-fefb-11e9-8405-516218e3d268", + "id": "d3a5fec0-ff18-11e9-8405-516218e3d268", "name": "panel_14", - "type": "search" + "type": "visualization" }, { - "id": "97c70300-ff1c-11e9-8405-516218e3d268", + "id": "1b6725f0-ff1d-11e9-8405-516218e3d268", "name": "panel_15", "type": "visualization" }, { - "id": "bf45dc50-ff1a-11e9-8405-516218e3d268", + "id": "60301890-ff1d-11e9-8405-516218e3d268", "name": "panel_16", "type": "visualization" }, { - "id": "7322f9f0-ff1c-11e9-8405-516218e3d268", + "id": "9dd22440-ff1d-11e9-8405-516218e3d268", "name": "panel_17", "type": "visualization" }, { - "id": "d3a5fec0-ff18-11e9-8405-516218e3d268", + "id": "c9d959f0-ff1d-11e9-8405-516218e3d268", "name": "panel_18", "type": "visualization" }, { - "id": "1b6725f0-ff1d-11e9-8405-516218e3d268", + "id": "1f271bc0-231a-11ea-8405-516218e3d268", "name": "panel_19", "type": "visualization" }, { - "id": "60301890-ff1d-11e9-8405-516218e3d268", + "id": "fa876300-231a-11ea-8405-516218e3d268", "name": "panel_20", "type": "visualization" }, { - "id": "9dd22440-ff1d-11e9-8405-516218e3d268", + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", "name": "panel_21", "type": "visualization" }, { - "id": "c9d959f0-ff1d-11e9-8405-516218e3d268", + "id": "26877510-9b72-11ea-87e4-49f31ec44891", "name": "panel_22", "type": "visualization" }, { - "id": "1f271bc0-231a-11ea-8405-516218e3d268", + "id": "117f5a30-9b71-11ea-87e4-49f31ec44891", "name": "panel_23", "type": "visualization" }, { - "id": "fa876300-231a-11ea-8405-516218e3d268", + "id": "5c9ee410-9b74-11ea-87e4-49f31ec44891", "name": "panel_24", "type": "visualization" + }, + { + "id": "aa31c9d0-9b75-11ea-87e4-49f31ec44891", + "name": "panel_25", + "type": "visualization" + }, + { + "id": "caf4d2b0-9b76-11ea-87e4-49f31ec44891", + "name": "panel_26", + "type": "visualization" } ], "type": "dashboard", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzQ0LDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "WzU4LDFd" }, { "attributes": { @@ -538,7 +630,7 @@ "aggs": [], "params": { "fontSize": 10, - "markdown": "# **User Management Events**\n\n#### This dashboard shows information about User Management Events collected by winlogbeat\n#\n#\n#\nEvent | Description\n-- | --\n4720 | A user account was created\n4722 | A user account was enabled\n4723 | An attempt was made to change an account's password\n4724 | An attempt was made to reset an account's password\n4725 | An user account was disabled\n4726 | An user account was deleted\n4738 | An user account was changed\n4740 | An user account was locked out\n4767 | An account was unlocked\n4781 | The name of an account was changed", + "markdown": "# **User Management Events**\n\n#### This dashboard shows information about User Management Events collected by winlogbeat\n", "openLinksInNewTab": false }, "title": "User Management Events - Description [Winlogbeat Security]", @@ -547,12 +639,12 @@ }, "id": "2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzcxLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzg3LDFd" }, { "attributes": { @@ -570,112 +662,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4765", - "4766", - "4767", - "4780", - "4781", - "4794", - "5376", - "5377" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377" + "params": { + "query": "4720" + }, + "type": "phrase", + "value": "4720" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4765" - } - }, - { - "match_phrase": { - "event.code": "4766" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4780" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4794" - } - }, - { - "match_phrase": { - "event.code": "5376" - } - }, - { - "match_phrase": { - "event.code": "5377" - } - } - ] + "match": { + "event.code": { + "query": "4720", + "type": "phrase" + } } } } @@ -687,8 +685,17 @@ } } }, - "title": "User Management Events - Event Actions - Donut [Winlogbeat Security]", - "uiStateJSON": {}, + "title": "Users Created - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, "version": 1, "visState": { "aggs": [ @@ -703,22 +710,55 @@ "enabled": true, "id": "2", "params": { - "field": "event.action", + "customLabel": "Created User", + "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", "size": 5 }, - "schema": "segment", + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performer LogonID", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", "type": "terms" } ], "params": { - "addLegend": true, - "addTooltip": true, "dimensions": { "buckets": [ { @@ -733,34 +773,62 @@ } }, "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], - "metric": { - "accessor": 1, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } + "metrics": [ + { + "accessor": 3, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] }, - "isDonut": true, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null }, - "legendPosition": "right", - "type": "pie" + "totalFunc": "sum" }, - "title": "User Management Events - Event Actions - Donut [Winlogbeat Security]", - "type": "pie" + "title": "Users Created - Table [Winlogbeat Security]", + "type": "table" } }, - "id": "833e0110-b9ec-11e9-b6a2-c9b4015c4baf", + "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -775,8 +843,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzcyLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzg4LDFd" }, { "attributes": { @@ -795,15 +863,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4720" + "query": "4722" }, "type": "phrase", - "value": "4720" + "value": "4722" }, "query": { "match": { "event.code": { - "query": "4720", + "query": "4722", "type": "phrase" } } @@ -817,7 +885,7 @@ } } }, - "title": "Users Created - Table [Winlogbeat Security]", + "title": "Users Enabled - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -842,7 +910,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Created User", + "customLabel": "Enabled User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -876,7 +944,7 @@ "enabled": true, "id": "4", "params": { - "customLabel": "Performer LogonID", + "customLabel": "Performer LogonId", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -954,13 +1022,13 @@ }, "totalFunc": "sum" }, - "title": "Users Created - Table [Winlogbeat Security]", + "title": "Users Enabled - Table [Winlogbeat Security]", "type": "table" } }, - "id": "5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", + "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -975,8 +1043,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzczLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzg5LDFd" }, { "attributes": { @@ -994,112 +1062,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4765", - "4766", - "4767", - "4780", - "4781", - "4794", - "5376", - "5377" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377" + "params": { + "query": "4725" + }, + "type": "phrase", + "value": "4725" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4765" - } - }, - { - "match_phrase": { - "event.code": "4766" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4780" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4794" - } - }, - { - "match_phrase": { - "event.code": "5376" - } - }, - { - "match_phrase": { - "event.code": "5377" - } - } - ] + "match": { + "event.code": { + "query": "4725", + "type": "phrase" + } } } } @@ -1111,7 +1085,7 @@ } } }, - "title": "User Management Events - Event Actions - Table [Winlogbeat Security]", + "title": "Users Disabled - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1136,15 +1110,15 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Event Short Description", - "field": "event.action", + "customLabel": "Disabled User", + "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 10 + "size": 100 }, "schema": "bucket", "type": "terms" @@ -1153,8 +1127,25 @@ "enabled": true, "id": "3", "params": { - "customLabel": "Event Code", - "field": "event.code", + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performer LogonId", + "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -1195,11 +1186,24 @@ } }, "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} } ], "metrics": [ { - "accessor": 2, + "accessor": 3, "aggType": "count", "format": { "id": "number" @@ -1218,13 +1222,13 @@ }, "totalFunc": "sum" }, - "title": "User Management Events - Event Actions - Table [Winlogbeat Security]", + "title": "Users Disabled - Table [Winlogbeat Security]", "type": "table" } }, - "id": "b2cecf10-bcd3-11e9-b6a2-c9b4015c4baf", + "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1239,8 +1243,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc0LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzkwLDFd" }, { "attributes": { @@ -1259,15 +1263,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4722" + "query": "4726" }, "type": "phrase", - "value": "4722" + "value": "4726" }, "query": { "match": { "event.code": { - "query": "4722", + "query": "4726", "type": "phrase" } } @@ -1281,7 +1285,7 @@ } } }, - "title": "Users Enabled - Table [Winlogbeat Security]", + "title": "Users Deleted - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1306,7 +1310,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Enabled User", + "customLabel": "Deleted User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1340,7 +1344,7 @@ "enabled": true, "id": "4", "params": { - "customLabel": "Performer LogonId", + "customLabel": "Performed LogonId", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1418,13 +1422,13 @@ }, "totalFunc": "sum" }, - "title": "Users Enabled - Table [Winlogbeat Security]", + "title": "Users Deleted - Table [Winlogbeat Security]", "type": "table" } }, - "id": "0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1439,8 +1443,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc1LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzkxLDFd" }, { "attributes": { @@ -1458,18 +1462,28 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": { - "query": "4725" - }, - "type": "phrase", - "value": "4725" + "params": [ + "4723", + "4724" + ], + "type": "phrases", + "value": "4723, 4724" }, "query": { - "match": { - "event.code": { - "query": "4725", - "type": "phrase" - } + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "4723" + } + }, + { + "match_phrase": { + "event.code": "4724" + } + } + ] } } } @@ -1481,7 +1495,7 @@ } } }, - "title": "Users Disabled - Table [Winlogbeat Security]", + "title": "Users Password Changes - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1506,7 +1520,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Disabled User", + "customLabel": "Password Change to", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1618,13 +1632,13 @@ }, "totalFunc": "sum" }, - "title": "Users Disabled - Table [Winlogbeat Security]", + "title": "Users Password Changes - Table [Winlogbeat Security]", "type": "table" } }, - "id": "8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1639,8 +1653,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc2LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzkyLDFd" }, { "attributes": { @@ -1659,15 +1673,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4726" + "query": "4767" }, "type": "phrase", - "value": "4726" + "value": "4767" }, "query": { "match": { "event.code": { - "query": "4726", + "query": "4767", "type": "phrase" } } @@ -1681,7 +1695,7 @@ } } }, - "title": "Users Deleted - Table [Winlogbeat Security]", + "title": "Unlocked Users - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -1706,7 +1720,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Deleted User", + "customLabel": "Unlocked User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1740,7 +1754,7 @@ "enabled": true, "id": "4", "params": { - "customLabel": "Performed LogonId", + "customLabel": "Performer Logonid", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -1818,13 +1832,13 @@ }, "totalFunc": "sum" }, - "title": "Users Deleted - Table [Winlogbeat Security]", + "title": "Unlocked Users - Table [Winlogbeat Security]", "type": "table" } }, - "id": "ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", + "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -1839,8 +1853,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc3LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk4LDFd" }, { "attributes": { @@ -1858,312 +1872,18 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4765", - "4766", - "4767", - "4780", - "4781", - "4794", - "5376", - "5377" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377" + "params": { + "query": "4738" + }, + "type": "phrase", + "value": "4738" }, "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4765" - } - }, - { - "match_phrase": { - "event.code": "4766" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4780" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4794" - } - }, - { - "match_phrase": { - "event.code": "5376" - } - }, - { - "match_phrase": { - "event.code": "5377" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "defaultColors": { - "0 - 14": "rgb(247,251,255)", - "14 - 28": "rgb(198,219,239)", - "28 - 42": "rgb(107,174,214)", - "42 - 55": "rgb(33,113,181)" - } - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Target User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 15 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Operation", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "colorSchema": "Blues", - "colorsNumber": 4, - "colorsRange": [], - "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" + "match": { + "event.code": { + "query": "4738", + "type": "phrase" } - }, - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - "y": [ - { - "accessor": 2, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "enableHover": false, - "invertColors": false, - "legendPosition": "right", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": true - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] - }, - "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", - "type": "heatmap" - } - }, - "id": "dce77e60-bcd7-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc4LDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4723", - "4724" - ], - "type": "phrases", - "value": "4723, 4724" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - } - ] } } } @@ -2175,7 +1895,7 @@ } } }, - "title": "Users Password Changes - Table [Winlogbeat Security]", + "title": "Users Changes Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -2200,7 +1920,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Password Change to", + "customLabel": "Changed User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -2312,13 +2032,13 @@ }, "totalFunc": "sum" }, - "title": "Users Password Changes - Table [Winlogbeat Security]", + "title": "Users Changes Table [Winlogbeat Security]", "type": "table" } }, - "id": "da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", + "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2333,8 +2053,8 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzc5LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "Wzk5LDFd" }, { "attributes": { @@ -2353,15 +2073,15 @@ "key": "event.code", "negate": false, "params": { - "query": "4767" + "query": "4740" }, "type": "phrase", - "value": "4767" + "value": "4740" }, "query": { "match": { "event.code": { - "query": "4767", + "query": "4740", "type": "phrase" } } @@ -2375,7 +2095,7 @@ } } }, - "title": "Unlocked Users - Table [Winlogbeat Security]", + "title": "Users Locked Out - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -2400,7 +2120,7 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Unlocked User", + "customLabel": "Locked User", "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", @@ -2434,7 +2154,7 @@ "enabled": true, "id": "4", "params": { - "customLabel": "Performer Logonid", + "customLabel": "Performer LogonId", "field": "winlog.logon.id", "missingBucket": false, "missingBucketLabel": "Missing", @@ -2512,13 +2232,13 @@ }, "totalFunc": "sum" }, - "title": "Unlocked Users - Table [Winlogbeat Security]", + "title": "Users Locked Out - Table [Winlogbeat Security]", "type": "table" } }, - "id": "da2110c0-bcea-11e9-b6a2-c9b4015c4baf", + "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { @@ -2533,12 +2253,20 @@ } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg1LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwMywxXQ==" }, { "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], "description": "", + "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -2552,701 +2280,11 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "event.code", "negate": false, - "params": { - "query": "4738" - }, - "type": "phrase", - "value": "4738" - }, - "query": { - "match": { - "event.code": { - "query": "4738", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Users Changes Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Changed User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "title": "Users Changes Table [Winlogbeat Security]", - "type": "table" - } - }, - "id": "abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzg2LDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4740" - }, - "type": "phrase", - "value": "4740" - }, - "query": { - "match": { - "event.code": { - "query": "4740", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Users Locked Out - Table [Winlogbeat Security]", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Locked User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "title": "Users Locked Out - Table [Winlogbeat Security]", - "type": "table" - } - }, - "id": "4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkwLDFd" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4767", - "4781", - "4798" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4798" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Event Distribution in time [Winlogbeat Security]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "timeRange": { - "from": "now-45d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "filters", - "format": {}, - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "YYYY-MM-DD HH:mm" - } - }, - "params": { - "bounds": { - "max": "2019-11-04T14:10:39.628Z", - "min": "2019-09-20T13:10:39.628Z" - }, - "date": true, - "format": "YYYY-MM-DD HH:mm", - "interval": "PT12H" - } - }, - "y": [ - { - "accessor": 2, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "grid": { - "categoryLines": false - }, - "labels": { - "show": true - }, - "legendPosition": "bottom", - "seriesParams": [ - { - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "mode": "stacked", - "show": "true", - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "Event Distribution in time [Winlogbeat Security]", - "type": "histogram" - } - }, - "id": "8f723a10-bd97-11e9-b9c5-fddc96658612", - "migrationVersion": { - "visualization": "7.4.2" - }, - "references": [ - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkxLDFd" - }, - { - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4624" - ], - "type": "phrases", - "value": "4624" + "params": [ + "4624" + ], + "type": "phrases", + "value": "4624" }, "query": { "bool": { @@ -3297,8 +2335,8 @@ } ], "type": "search", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkyLDFd" + "updated_at": "2020-06-04T16:26:27.206Z", + "version": "WzE0MywxXQ==" }, { "attributes": { @@ -3306,7 +2344,7 @@ "event.action", "winlog.event_data.TargetUserName", "user.domain", - "winlog.event_data.SubjectUserName", + "user.name", "winlog.event_data.SubjectDomainName", "winlog.logon.id", "related.user" @@ -3336,10 +2374,11 @@ "4738", "4740", "4767", - "4781" + "4781", + "4798" ], "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781" + "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" }, "query": { "bool": { @@ -3394,6 +2433,11 @@ "match_phrase": { "event.code": "4781" } + }, + { + "match_phrase": { + "event.code": "4798" + } } ] } @@ -3435,8 +2479,8 @@ } ], "type": "search", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "WzkzLDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwNSwxXQ==" }, { "attributes": { @@ -3450,7 +2494,7 @@ } } }, - "title": "Users Disabled - VB Metric [Winlogbeat Security]", + "title": "Users Disabled - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3461,18 +2505,19 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(219,223,0,1)", + "background_color": "rgba(79,147,150,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { @@ -3482,6 +2527,7 @@ "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -3506,21 +2552,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Disabled - VB Metric [Winlogbeat Security]", + "title": "Users Disabled - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "97c70300-ff1c-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzYwLDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "WzcwLDFd" }, { "attributes": { @@ -3534,7 +2581,7 @@ } } }, - "title": "Users Enabled - VB Metric [Winlogbeat Security]", + "title": "Users Enabled - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3545,18 +2592,19 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(251,158,0,1)", + "background_color": "rgba(203,142,136,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { @@ -3566,6 +2614,7 @@ "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -3591,20 +2640,21 @@ "show_grid": 1, "show_legend": 1, "time_field": "", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Enabled - VB Metric [Winlogbeat Security]", + "title": "Users Enabled - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "bf45dc50-ff1a-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzYxLDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "WzcxLDFd" }, { "attributes": { @@ -3618,7 +2668,7 @@ } } }, - "title": "Users Deleted - VB Metric [Winlogbeat Security]", + "title": "Users Deleted - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3629,18 +2679,19 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(176,188,0,1)", + "background_color": "rgba(228,155,75,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { @@ -3650,6 +2701,7 @@ "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -3674,21 +2726,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Deleted - VB Metric [Winlogbeat Security]", + "title": "Users Deleted - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, "id": "7322f9f0-ff1c-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzYyLDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "WzcyLDFd" }, { "attributes": { @@ -3702,7 +2755,7 @@ } } }, - "title": "Users Created - VB Metric [Winlogbeat Security]", + "title": "Users Created - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3713,18 +2766,19 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(159,5,0,1)", + "background_color": "rgba(181,99,93,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { @@ -3734,6 +2788,7 @@ "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -3758,21 +2813,109 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Users Created - TSVB Metric [Winlogbeat Security]", + "type": "metrics" + } + }, + "id": "d3a5fec0-ff18-11e9-8405-516218e3d268", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "WzczLDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Users Unlocks - TSVB Metric [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(204,204,204,1)", + "id": "8d597960-ff18-11e9-8249-2371c695f3b0", + "operator": "lte", + "value": 0 + }, + { + "background_color": "rgba(116,167,167,1)", + "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", + "operator": "gte", + "value": 1 + } + ], + "default_index_pattern": "packetbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 0, + "filter": { + "language": "kuery", + "query": "event.code: \"4767\" " + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "winlogbeat-*", + "interval": "90d", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Users Unlocks", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Created - VB Metric [Winlogbeat Security]", + "title": "Users Unlocks - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, - "id": "d3a5fec0-ff18-11e9-8405-516218e3d268", + "id": "1b6725f0-ff1d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzYzLDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "Wzc0LDFd" }, { "attributes": { @@ -3786,7 +2929,7 @@ } } }, - "title": "Users Unlocks - VB Metric [Winlogbeat Security]", + "title": "Users Password Changes - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3797,27 +2940,29 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(254,146,0,1)", + "background_color": "rgba(154,196,198,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code: \"4767\" " + "query": "event.code: \"4723\" OR event.code: \"4724\"" }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -3826,7 +2971,7 @@ "fill": 0.5, "formatter": "number", "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Users Unlocks", + "label": "Password Changes/Reset", "line_width": 1, "metrics": [ { @@ -3842,21 +2987,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Unlocks - VB Metric [Winlogbeat Security]", + "title": "Users Password Changes - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, - "id": "1b6725f0-ff1d-11e9-8405-516218e3d268", + "id": "60301890-ff1d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzY0LDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "Wzc1LDFd" }, { "attributes": { @@ -3870,7 +3016,7 @@ } } }, - "title": "Users Password Changes - VB Metric [Winlogbeat Security]", + "title": "Users locked Out - TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3881,27 +3027,29 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(22,165,165,1)", + "background_color": "rgba(102,102,102,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code: \"4723\" OR event.code: \"4724\"" + "query": "event.code: \"4740\"" }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -3910,7 +3058,7 @@ "fill": 0.5, "formatter": "number", "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Password Changes/Reset", + "label": "Users Locked Out", "line_width": 1, "metrics": [ { @@ -3926,21 +3074,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Password Changes - VB Metric [Winlogbeat Security]", + "title": "Users locked Out - TSVB Metric [Winlogbeat Security]", "type": "metrics" } }, - "id": "60301890-ff1d-11e9-8405-516218e3d268", + "id": "9dd22440-ff1d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzY1LDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "Wzc2LDFd" }, { "attributes": { @@ -3954,7 +3103,7 @@ } } }, - "title": "Users locked Out - VB Metric [Winlogbeat Security]", + "title": "Users Changes TS VB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -3965,27 +3114,29 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(51,51,51,1)", + "background_color": "rgba(221,186,64,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code: \"4740\"" + "query": "event.code: \"4738\" " }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -3994,7 +3145,7 @@ "fill": 0.5, "formatter": "number", "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Users Locked Out", + "label": "Users Changes", "line_width": 1, "metrics": [ { @@ -4010,21 +3161,22 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users locked Out - VB Metric [Winlogbeat Security]", + "title": "Users Changes TS VB Metric [Winlogbeat Security]", "type": "metrics" } }, - "id": "9dd22440-ff1d-11e9-8405-516218e3d268", + "id": "c9d959f0-ff1d-11e9-8405-516218e3d268", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzY2LDFd" + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "Wzc3LDFd" }, { "attributes": { @@ -4038,7 +3190,7 @@ } } }, - "title": "Users Changes VB Metric [Winlogbeat Security]", + "title": "Users Renamed TSVB Metric [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { @@ -4049,27 +3201,29 @@ "axis_scale": "normal", "background_color_rules": [ { + "background_color": "rgba(204,204,204,1)", "id": "8d597960-ff18-11e9-8249-2371c695f3b0", "operator": "lte", "value": 0 }, { - "background_color": "rgba(179,179,179,1)", + "background_color": "rgba(110,139,162,1)", "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", "operator": "gte", "value": 1 } ], - "default_index_pattern": "winlogbeat-*", + "default_index_pattern": "packetbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "event.code: \"4738\" " + "query": "event.code: \"4781\" " }, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "winlogbeat-*", "interval": "90d", + "isModelInvalid": false, "series": [ { "axis_position": "right", @@ -4078,7 +3232,7 @@ "fill": 0.5, "formatter": "number", "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Users Changes", + "label": "Users Renamed", "line_width": 1, "metrics": [ { @@ -4094,21 +3248,257 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", "type": "metric" }, - "title": "Users Changes VB Metric [Winlogbeat Security]", - "type": "metrics" + "title": "Users Renamed TSVB Metric [Winlogbeat Security]", + "type": "metrics" + } + }, + "id": "1f271bc0-231a-11ea-8405-516218e3d268", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-06-04T16:26:24.183Z", + "version": "Wzc4LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.code", + "negate": false, + "params": { + "query": "4781" + }, + "type": "phrase", + "value": "4781" + }, + "query": { + "match": { + "event.code": { + "query": "4781", + "type": "phrase" + } + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Users Renamed - Table [Winlogbeat Security]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Old User Name", + "field": "winlog.event_data.OldTargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Performed by", + "field": "winlog.event_data.SubjectUserName", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Performer LogonId", + "field": "winlog.logon.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 1, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + }, + { + "accessor": 2, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metrics": [ + { + "accessor": 3, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + ] + }, + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Users Renamed - Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "fa876300-231a-11ea-8405-516218e3d268", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwNywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboard links [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Winlogbeat Overview](#/dashboard/Winlogbeat-Dashboard-ecs) | [User Logon Information](#/dashboard/bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/bb858830-f412-11e9-8405-516218e3d268)", + "openLinksInNewTab": false + }, + "title": "Dashboard links [Winlogbeat Security]", + "type": "markdown" } }, - "id": "c9d959f0-ff1d-11e9-8405-516218e3d268", + "id": "a3c3f350-9b6d-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzY3LDFd" + "updated_at": "2020-06-04T16:49:11.152Z", + "version": "WzI1MCwxXQ==" }, { "attributes": { @@ -4117,123 +3507,155 @@ "searchSourceJSON": { "filter": [], "query": { - "language": "lucene", + "language": "kuery", "query": "" } } }, - "title": "Users Renamed VB Metric [Winlogbeat Security]", + "savedSearchRefName": "search_0", + "title": "User Management Actions [Winlogbeat Security]", "uiStateJSON": {}, "version": 1, "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "8d597960-ff18-11e9-8249-2371c695f3b0", - "operator": "lte", - "value": 0 + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 15 }, - { - "background_color": "rgba(171,20,158,1)", - "id": "a3f59730-ff18-11e9-8249-2371c695f3b0", - "operator": "gte", - "value": 1 - } - ], - "default_index_pattern": "winlogbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "filter": { + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "User Management Actions [Winlogbeat Security]", + "type": "pie" + } + }, + "id": "26877510-9b72-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzEwOSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { "language": "kuery", - "query": "event.code: \"4781\" " + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Target Users [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" }, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "winlogbeat-*", - "interval": "90d", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Users Renamed", - "line_width": 1, - "metrics": [ - { - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "count" - } - ], - "point_size": 1, - "separate_axis": 0, - "split_mode": "everything", - "stacked": "none" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "metric" + { + "enabled": true, + "id": "2", + "params": { + "field": "winlog.event_data.TargetUserName", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false }, - "title": "Users Renamed VB Metric [Winlogbeat Security]", - "type": "metrics" + "title": "Target Users [Winlogbeat Security]", + "type": "tagcloud" } }, - "id": "1f271bc0-231a-11ea-8405-516218e3d268", + "id": "117f5a30-9b71-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, - "references": [], + "references": [ + { + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2020-02-04T20:39:01.724Z", - "version": "WzY4LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMSwxXQ==" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4781" - }, - "type": "phrase", - "value": "4781" - }, - "query": { - "match": { - "event.code": { - "query": "4781", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "filter": [], "query": { "language": "kuery", "query": "" } } }, - "title": "Users Renamed - Table [Winlogbeat Security]", + "savedSearchRefName": "search_0", + "title": "User Event Actions - Table [Winlogbeat Security]", "uiStateJSON": { "vis": { "params": { @@ -4258,142 +3680,334 @@ "enabled": true, "id": "2", "params": { - "customLabel": "Old User Name", - "field": "winlog.event_data.OldTargetUserName", + "customLabel": "event.action", + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "event.code", + "field": "event.code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "User Event Actions - Table [Winlogbeat Security]", + "type": "table" + } + }, + "id": "5c9ee410-9b74-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Target User", + "field": "winlog.event_data.TargetUserName", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 100 + "size": 20 }, - "schema": "bucket", + "schema": "segment", "type": "terms" }, { "enabled": true, "id": "3", "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, + "field": "event.action", + "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 5 + "size": 10 }, - "schema": "bucket", + "schema": "group", "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "colorSchema": "Blues", + "colorsNumber": 4, + "colorsRange": [], + "enableHover": false, + "invertColors": false, + "legendPosition": "right", + "percentageMode": false, + "setColorRange": false, + "times": [], + "type": "heatmap", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "black", + "overwriteColor": false, + "rotate": 0, + "show": true + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "User Management Events - Affected Users vs Actions - Heatmap [Winlogbeat Security]", + "type": "heatmap" + } + }, + "id": "aa31c9d0-9b75-11ea-87e4-49f31ec44891", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [ + { + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Event Distribution in time [Winlogbeat Security]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" }, { "enabled": true, - "id": "4", + "id": "2", "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-7d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "event.action", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 5 + "size": 15 }, - "schema": "bucket", + "schema": "group", "type": "terms" } ], "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} + "position": "bottom", + "scale": { + "type": "linear" }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null + "labels": { + "show": false }, - "totalFunc": "sum" + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] }, - "title": "Users Renamed - Table [Winlogbeat Security]", - "type": "table" + "title": "Event Distribution in time [Winlogbeat Security]", + "type": "histogram" } }, - "id": "fa876300-231a-11ea-8405-516218e3d268", + "id": "caf4d2b0-9b76-11ea-87e4-49f31ec44891", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [ { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "winlogbeat-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "id": "324686c0-fefb-11e9-8405-516218e3d268", + "name": "search_0", + "type": "search" } ], "type": "visualization", - "updated_at": "2020-02-04T20:39:02.784Z", - "version": "Wzk1LDFd" + "updated_at": "2020-06-04T16:26:25.228Z", + "version": "WzExMywxXQ==" } ], - "version": "7.5.2" + "version": "7.7.0" } diff --git a/x-pack/winlogbeat/module/security/dashboards.yml b/x-pack/winlogbeat/module/security/dashboards.yml new file mode 100644 index 00000000000..b50adb30760 --- /dev/null +++ b/x-pack/winlogbeat/module/security/dashboards.yml @@ -0,0 +1,27 @@ +# To export all dashboards use: +# go run ../../../../dev-tools/cmd/dashboards/export_dashboards.go -yml dashboards.yml + +dashboards: + - id: d401ef40-a7d5-11e9-a422-d144027429da + file: winlogbeat-security-failed-blocked-accounts-tsvb.json + + - id: f49f3170-9ffc-11ea-87e4-49f31ec44891 + file: winlogbeat-security-failed-blocked-accounts.json + + - id: bb858830-f412-11e9-8405-516218e3d268 + file: winlogbeat-security-group-management.json + + - id: 01c54730-fee6-11e9-8405-516218e3d268 + file: winlogbeat-security-group-management-tsvb.json + + - id: bae11b00-9bfc-11ea-87e4-49f31ec44891 + file: winlogbeat-security-user-logons.json + + - id: 035846a0-a249-11e9-a422-d144027429da + file: winlogbeat-security-user-logons-tsvb.json + + - id: 71f720f0-ff18-11e9-8405-516218e3d268 + file: winlogbeat-security-user-management.json + + - id: 8223bed0-b9e9-11e9-b6a2-c9b4015c4baf + file: winlogbeat-security-user-management-tsvb.json