Skip to content

Cherry-pick #18775 to 7.x: Winlogbeat Security new dashboards - Older dashboards improvements#22598

Merged
andrewkroh merged 1 commit intoelastic:7.xfrom
andrewkroh:backport_18775_7.x
Nov 30, 2020
Merged

Cherry-pick #18775 to 7.x: Winlogbeat Security new dashboards - Older dashboards improvements#22598
andrewkroh merged 1 commit intoelastic:7.xfrom
andrewkroh:backport_18775_7.x

Conversation

@andrewkroh
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh commented Nov 16, 2020
edited by zube bot
Loading

Cherry-pick of PR #18775 to 7.x branch. Original message:

What does this PR do?

This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

  • User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
  • Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

All Dashboards

  • Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

  • Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

  • Removed the margin between panels to look in the same way that other beats dashboards

  • TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Why is it important?

These dashboards allows to take profit of the events processed by the winlogbeat security.
All of them were created for real life companies (a telco company and a hospital) and are heavily used in the day-by-day security operation.

Checklist

  • My code follows the style guidelines of this project
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Screenshots

Failed and Blocked Accounts
Screenshot_2020-05-27 Winlogbeat Security Failed and Blocked Accounts - Elastic Kibana

User Logons
Screenshot_2020-05-27 Winlogbeat Security User Logons - Elastic Kibana

Group Managment
Screenshot_2020-05-27 Winlogbeat Security Group Management Events - Elastic Kibana

User Management

Screenshot_2020-05-27 Winlogbeat Security User Management Events - Elastic Kibana

@janniten @andrewkroh
Winlogbeat Security new dashboards - Older dashboards improvements (e…
c194dd8 
…lastic#18775)

This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (elastic#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit 7b9c535)
@andrewkroh andrewkroh requested a review from a team as a code owner November 16, 2020 18:52
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 16, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Nov 16, 2020

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 16, 2020
@andrewkroh andrewkroh mentioned this pull request Nov 16, 2020
Closed
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Nov 16, 2020

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #22598 opened]

  • Start Time: 2020-11-16T18:53:18.155+0000

  • Duration: 23 min 24 sec

Test stats 🧪

Test Results
Failed 0
Passed 92
Skipped 0
Total 92

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 92
Skipped 0
Total 92

@andrewkroh andrewkroh merged commit 7ed71bd into elastic:7.x Nov 30, 2020
@zube zube bot removed the [zube]: Done label Mar 1, 2021
@andrewkroh andrewkroh deleted the backport_18775_7.x branch January 14, 2022 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andrewkroh @elasticmachine @kaiyan-sheng @janniten