Winlogbeat Security new dashboards - Older dashboards improvements #18775
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
botelastic
bot
added
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
|
jenkins, run tests please |
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
removed
the
needs_team
botelastic
bot
added
the
Team:Automation
I also gave the file names instead of UUIDs since the export_dashboard.go tool does with when you use the -yml option.
|
jenkins, run tests |
andrewkroh
removed
the
Team:Automation
|
jenkins, run tests |
andrewkroh
approved these changes
Jun 4, 2020
melchiormoulin
pushed a commit
to melchiormoulin/beats
that referenced
this pull request
Oct 14, 2020
…lastic#18775) This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (elastic#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
|
While testing some issues with index patterns and winlogbeat dashboards I've realize that this dashboards are not in winlogbeat 7.9.x. |
andrewkroh
pushed a commit
to andrewkroh/beats
that referenced
this pull request
Nov 16, 2020
…lastic#18775) This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (elastic#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 7b9c535)
andrewkroh
added a commit
that referenced
this pull request
Nov 30, 2020
…18775) (#22598) This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 7b9c535) Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
This was referenced Jan 17, 2023
efd6
added a commit
to efd6/integrations
that referenced
this pull request
Mar 14, 2023
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
4 tasks
efd6
added a commit
to efd6/integrations
that referenced
this pull request
Mar 14, 2023
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
efd6
added a commit
to efd6/integrations
that referenced
this pull request
Mar 20, 2023
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
efd6
added a commit
to elastic/integrations
that referenced
this pull request
Mar 20, 2023
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard
New Dashboards
Existing Dashboards
All Dashboards
Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
Visualization that use may events (like group management related visualizations)
were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)
Removed the margin between panels to look in the same way that other beats dashboards
TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors
Why is it important?
These dashboards allows to take profit of the events processed by the winlogbeat security.
All of them were created for real life companies (a telco company and a hospital) and are heavily used in the day-by-day security operation.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Screenshots
Failed and Blocked Accounts
User Logons
Group Managment
User Management