[Winlogbeat] Additional Dashboards

[philippkahr]

Hi,

I created some dashboards for active directory audit. There are some rules that have to be applied inside the active directory.

In the pictures shown for the dashboards, I had to insert some mockup values, but I hope you get the idea.

[Winlogbeat] LDAP Insights

Needs https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ to work. It will write the LDAP information into the windows event log Directory Service, so that needs to be added to the Winlogbeat configuration.

Dashboards

[Winlogbeat] Active directory group audit

Needs the group audit GPOs to be applied in the Active Directory. They will be written into the Security event log.

Dashboards

[Winlogbeat] Overview single host

Just a simple alteration of the Winlogbeat Dashboard, just for a single host.

Dashboards

[philippkahr]

Since winlogbeat is not using any module I am facing a little issue regarding mage exportDashboard.
#14101 someone suggested to me to use

MODULE=vsphere ID=c359a6c0-4242-11e9-a1b4-79a7ae42ab61 mage exportDashboard
make import-dashboards

However, winlogbeat has no module and running mage exportDasbhoard without module will fail due to the magefile of winlogbeat https://github.com/elastic/beats/blob/master/winlogbeat/magefile.go not containing the exportDashboard command. I feel like fixing this is out of my league, I am not aware on how the magefiles are linked together. I hope it is ok that I ping you @fearful-symmetry here, I saw that you deal with a lot of issues with mage.

I used the Kibana saved objects export function for the dashboards and placed the ndjson containing all three dashboards into https://github.com/philippkahr/beats/blob/winlogbeatdashboard/winlogbeat/_meta/kibana/7/dashboard/Winlogbeat-dashboards-issue14149.ndjson

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[philippkahr]

I think as of today it will make more sense to create an own app inside the SIEM for users and groups, which includes such said details.

[extromen13]

Hi,

I created some dashboards for active directory audit. There are some rules that have to be applied inside the active directory.

In the pictures shown for the dashboards, I had to insert some mockup values, but I hope you get the idea.

[Winlogbeat] LDAP Insights

Needs https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ to work. It will write the LDAP information into the windows event log Directory Service, so that needs to be added to the Winlogbeat configuration.

Dashboards

[Winlogbeat] Active directory group audit

Needs the group audit GPOs to be applied in the Active Directory. They will be written into the Security event log.

Dashboards

[Winlogbeat] Overview single host

Just a simple alteration of the Winlogbeat Dashboard, just for a single host.

Dashboards

Hi @philippkahr ,

I would like to ask you if you can share this dashboards? The mentioned link is not functional anymore.

Thank you very much in advance