diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 6bcf47e781b5..beeee5556ba9 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.1" + changes: + - description: Remove duplicate Windows dashboards. + type: bugfix + link: https://github.com/elastic/integrations/pull/5525 - version: "1.25.0" changes: - description: Convert dashboard visualisations to storage by value. diff --git a/packages/system/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 6ce875a274c3..000000000000 --- a/packages/system/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,3463 +0,0 @@ -{ - "id": "system-01c54730-fee6-11e9-8405-516218e3d268", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-02-20T02:25:46.962Z", - "version": "WzUyMSwxXQ==", - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Group Management Events - Description [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 10, - "markdown": "# **Group Management Events**\n\n#### This dashboard shows information about Group Management Events collected by winlogbeat\n", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 8, - "i": "22", - "w": 17, - "x": 0, - "y": 0 - }, - "panelIndex": "22", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Groups Created - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 4, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Performer LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4727", - "4754", - "4744", - "4759", - "4779", - "4790", - "4783" - ], - "type": "phrases", - "value": "4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4744" - } - }, - { - "match_phrase": { - "event.code": "4759" - } - }, - { - "match_phrase": { - "event.code": "4779" - } - }, - { - "match_phrase": { - "event.code": "4790" - } - }, - { - "match_phrase": { - "event.code": "4783" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 13, - "i": "36", - "w": 9, - "x": 0, - "y": 59 - }, - "panelIndex": "36", - "title": "Group Creation Summary [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Group Changes - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 4, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Performer LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4735", - "4737", - "4755", - "4750", - "4760", - "4745", - "4791", - "4784", - "4764" - ], - "type": "phrases", - "value": "4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4750" - } - }, - { - "match_phrase": { - "event.code": "4760" - } - }, - { - "match_phrase": { - "event.code": "4745" - } - }, - { - "match_phrase": { - "event.code": "4791" - } - }, - { - "match_phrase": { - "event.code": "4784" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 13, - "i": "37", - "w": 9, - "x": 9, - "y": 59 - }, - "panelIndex": "37", - "title": "Group Changes Summary [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Groups Deleted - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 4, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Performer LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4734", - "4730", - "4758", - "4748", - "4763", - "4753", - "4792", - "4789" - ], - "type": "phrases", - "value": "4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4758" - } - }, - { - "match_phrase": { - "event.code": "4748" - } - }, - { - "match_phrase": { - "event.code": "4763" - } - }, - { - "match_phrase": { - "event.code": "4753" - } - }, - { - "match_phrase": { - "event.code": "4792" - } - }, - { - "match_phrase": { - "event.code": "4789" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 13, - "i": "38", - "w": 9, - "x": 18, - "y": 59 - }, - "panelIndex": "38", - "title": "Group Deletion Summary [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Added - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 4, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 5, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "User", - "field": "winlog.event_data.MemberName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Performed by", - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "6", - "params": { - "customLabel": "Performed by Logon ID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4732", - "4728", - "4756", - "4751", - "4761", - "4746", - "4785", - "4787" - ], - "type": "phrases", - "value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4751" - } - }, - { - "match_phrase": { - "event.code": "4761" - } - }, - { - "match_phrase": { - "event.code": "4746" - } - }, - { - "match_phrase": { - "event.code": "4785" - } - }, - { - "match_phrase": { - "event.code": "4787" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 14, - "i": "39", - "w": 16, - "x": 0, - "y": 81 - }, - "panelIndex": "39", - "title": "Users Added to Group Summary [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Removed from Group - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 4, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 5, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "User", - "field": "winlog.event_data.MemberName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "6", - "params": { - "customLabel": "Performed by Logon ID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4733", - "4729", - "4757", - "4786", - "4788", - "4752", - "4762", - "4747" - ], - "type": "phrases", - "value": "4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4786" - } - }, - { - "match_phrase": { - "event.code": "4788" - } - }, - { - "match_phrase": { - "event.code": "4752" - } - }, - { - "match_phrase": { - "event.code": "4762" - } - }, - { - "match_phrase": { - "event.code": "4747" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 14, - "i": "40", - "w": 17, - "x": 16, - "y": 81 - }, - "panelIndex": "40", - "title": "Users Removed From Group Summary [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Group Enumeration - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 4, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 5, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Group", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Domain", - "field": "group.domain", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Creator", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "Creator LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4799" - ], - "type": "phrases", - "value": "4799" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4799" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 14, - "i": "42", - "w": 15, - "x": 33, - "y": 81 - }, - "panelIndex": "42", - "title": "Group Membership Enumeration Summary [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 22, - "i": "43", - "w": 21, - "x": 27, - "y": 50 - }, - "panelIndex": "43", - "panelRefName": "panel_43", - "title": "Logon Details [Windows System Security]", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 21, - "i": "51", - "w": 48, - "x": 0, - "y": 95 - }, - "panelIndex": "51", - "panelRefName": "panel_51", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Dashboard links - Simple [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 12, - "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)" - } - } - } - } - }, - "gridData": { - "h": 8, - "i": "45614e1c-b2bb-4243-9a74-a4bdd0124c87", - "w": 31, - "x": 17, - "y": 0 - }, - "panelIndex": "45614e1c-b2bb-4243-9a74-a4bdd0124c87", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Group Management Events - Event Actions - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "perPage": 10, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "event.action", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 50 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "event.code", - "field": "event.code", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 21, - "i": "88e75800-8125-4c9e-96b8-5c36f6e91664", - "w": 9, - "x": 21, - "y": 8 - }, - "panelIndex": "88e75800-8125-4c9e-96b8-5c36f6e91664", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Group Management Events - Target Groups - Tag Cloud [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "maxFontSize": 58, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "type": "tagcloud", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 21, - "i": "4b793b8e-72d4-42a2-b377-1c70f0307414", - "w": 18, - "x": 30, - "y": 8 - }, - "panelIndex": "4b793b8e-72d4-42a2-b377-1c70f0307414", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "vis": null, - "savedVis": { - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "addLegend": true, - "addTooltip": true, - "colorSchema": "Blues", - "colorsNumber": 4, - "colorsRange": [], - "enableHover": false, - "invertColors": false, - "legendPosition": "right", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": true - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] - }, - "type": "heatmap", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Target Groups", - "field": "group.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Actions", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "group", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 21, - "i": "82d229f9-44f4-4c4b-baf7-f9673a14c87f", - "w": 26, - "x": 0, - "y": 29 - }, - "panelIndex": "82d229f9-44f4-4c4b-baf7-f9673a14c87f", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "colors": { - "added-group-account": "#1F78C1", - "added-member-to-group": "#0A437C", - "deleted-group-account": "#5195CE", - "modified-group-account": "#0A50A1", - "type-changed-group-account": "#82B5D8", - "user-member-enumerated": "#2F575E" - }, - "enhancements": {}, - "vis": { - "colors": { - "added-group-account": "#1F78C1", - "added-member-to-group": "#0A437C", - "deleted-group-account": "#5195CE", - "modified-group-account": "#0A50A1", - "removed-member-from-group": "#82B5D8", - "type-changed-group-account": "#82B5D8", - "user-member-enumerated": "#2F575E" - } - }, - "savedVis": { - "title": "Group Management Action Distribution over Time [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false, - "valueAxis": "" - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "type": "histogram", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-30d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 25 - }, - "schema": "group", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 21, - "i": "f44255b0-d9a8-479f-be3f-829c1f6ed794", - "w": 22, - "x": 26, - "y": 29 - }, - "panelIndex": "f44255b0-d9a8-479f-be3f-829c1f6ed794", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "colors": { - "added-group-account": "#0A50A1", - "added-member-to-group": "#1F78C1", - "deleted-group-account": "#5195CE", - "modified-group-account": "#0A437C", - "user-member-enumerated": "#052B51" - }, - "enhancements": {}, - "vis": { - "colors": { - "added-group-account": "#0A50A1", - "added-member-to-group": "#1F78C1", - "deleted-group-account": "#5195CE", - "modified-group-account": "#0A437C", - "user-member-enumerated": "#2F575E" - } - }, - "savedVis": { - "title": "Group Management Events - Event Actions [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": false, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "type": "pie", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 21, - "i": "9c42bff2-b295-4617-8d8c-455bd5948b66", - "w": 21, - "x": 0, - "y": 8 - }, - "panelIndex": "9c42bff2-b295-4617-8d8c-455bd5948b66", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Group Membership Enumerated" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4799" - }, - "type": "phrase", - "value": "4799" - }, - "query": { - "match": { - "event.code": { - "query": "4799", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Blues", - "colorsRange": [ - { - "from": 0, - "to": 500, - "type": "range" - }, - { - "from": 500, - "to": 20000 - }, - { - "from": 20000, - "to": 30000 - }, - { - "from": 30000, - "to": 40000 - } - ], - "invertColors": true, - "labels": { - "show": true - }, - "metricColorMode": "Labels", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "0251daac-0c83-40d1-8134-217fd278d552", - "w": 15, - "x": 33, - "y": 72 - }, - "panelIndex": "0251daac-0c83-40d1-8134-217fd278d552", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Removed from Groups" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4733", - "4729", - "4757", - "4786", - "4788", - "4752", - "4762", - "4747" - ], - "type": "phrases", - "value": "4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4786" - } - }, - { - "match_phrase": { - "event.code": "4788" - } - }, - { - "match_phrase": { - "event.code": "4752" - } - }, - { - "match_phrase": { - "event.code": "4762" - } - }, - { - "match_phrase": { - "event.code": "4747" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Greens", - "colorsRange": [ - { - "from": 0, - "to": 1, - "type": "range" - }, - { - "from": 1, - "to": 5 - }, - { - "from": 5, - "to": 9 - }, - { - "from": 9, - "to": 13 - }, - { - "from": 13, - "to": 17 - }, - { - "from": 17, - "to": 20000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "Labels", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "a5bd9fc8-9360-4698-a534-ca31a1a84af7", - "w": 17, - "x": 16, - "y": 72 - }, - "panelIndex": "a5bd9fc8-9360-4698-a534-ca31a1a84af7", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Groups Deleted" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4734", - "4730", - "4758", - "4748", - "4763", - "4753", - "4792", - "4789" - ], - "type": "phrases", - "value": "4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4758" - } - }, - { - "match_phrase": { - "event.code": "4748" - } - }, - { - "match_phrase": { - "event.code": "4763" - } - }, - { - "match_phrase": { - "event.code": "4753" - } - }, - { - "match_phrase": { - "event.code": "4792" - } - }, - { - "match_phrase": { - "event.code": "4789" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Greens", - "colorsRange": [ - { - "from": 0, - "to": 1, - "type": "range" - }, - { - "from": 1, - "to": 5 - }, - { - "from": 5, - "to": 10 - }, - { - "from": 10, - "to": 15 - }, - { - "from": 15, - "to": 20 - }, - { - "from": 20, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "Labels", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "87b1d610-7062-491f-b038-ad5bed557af6", - "w": 9, - "x": 18, - "y": 50 - }, - "panelIndex": "87b1d610-7062-491f-b038-ad5bed557af6", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Added to Groups" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4732", - "4728", - "4756", - "4751", - "4761", - "4746", - "4785", - "4787" - ], - "type": "phrases", - "value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4751" - } - }, - { - "match_phrase": { - "event.code": "4761" - } - }, - { - "match_phrase": { - "event.code": "4746" - } - }, - { - "match_phrase": { - "event.code": "4785" - } - }, - { - "match_phrase": { - "event.code": "4787" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Reds", - "colorsRange": [ - { - "from": 0, - "to": 1, - "type": "range" - }, - { - "from": 1, - "to": 5 - }, - { - "from": 5, - "to": 10 - }, - { - "from": 10, - "to": 15 - }, - { - "from": 15, - "to": 20 - }, - { - "from": 20, - "to": 9999 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "Labels", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "4c87935a-36e5-41d2-a234-94ebf5a2fa4a", - "w": 16, - "x": 0, - "y": 72 - }, - "panelIndex": "4c87935a-36e5-41d2-a234-94ebf5a2fa4a", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Groups Changed" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4735", - "4737", - "4755", - "4750", - "4760", - "4745", - "4791", - "4784", - "4764" - ], - "type": "phrases", - "value": "4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4750" - } - }, - { - "match_phrase": { - "event.code": "4760" - } - }, - { - "match_phrase": { - "event.code": "4745" - } - }, - { - "match_phrase": { - "event.code": "4791" - } - }, - { - "match_phrase": { - "event.code": "4784" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Yellow to Red", - "colorsRange": [ - { - "from": 0, - "to": 1, - "type": "range" - }, - { - "from": 1, - "to": 5 - }, - { - "from": 5, - "to": 10 - }, - { - "from": 10, - "to": 15 - }, - { - "from": 15, - "to": 20 - }, - { - "from": 20, - "to": 100000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "Labels", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "8904c753-8834-4c9c-994f-29568fd953a5", - "w": 9, - "x": 9, - "y": 50 - }, - "panelIndex": "8904c753-8834-4c9c-994f-29568fd953a5", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Groups Created" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4727", - "4754", - "4744", - "4759", - "4779", - "4790", - "4783" - ], - "type": "phrases", - "value": "4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4744" - } - }, - { - "match_phrase": { - "event.code": "4759" - } - }, - { - "match_phrase": { - "event.code": "4779" - } - }, - { - "match_phrase": { - "event.code": "4790" - } - }, - { - "match_phrase": { - "event.code": "4783" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Reds", - "colorsRange": [ - { - "from": 0, - "to": 1, - "type": "range" - }, - { - "from": 1, - "to": 10 - }, - { - "from": 10, - "to": 20 - }, - { - "from": 20, - "to": 9999 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "Labels", - "percentageMode": false, - "style": { - "bgColor": true, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "013bf4fc-f277-4c41-ad8d-3d9cc95dfedb", - "w": 9, - "x": 0, - "y": 50 - }, - "panelIndex": "013bf4fc-f277-4c41-ad8d-3d9cc95dfedb", - "title": "", - "type": "visualization", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[System Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "references": [ - { - "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "43:panel_43", - "type": "search" - }, - { - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "51:panel_51", - "type": "search" - }, - { - "id": "logs-*", - "name": "0251daac-0c83-40d1-8134-217fd278d552:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0251daac-0c83-40d1-8134-217fd278d552:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a5bd9fc8-9360-4698-a534-ca31a1a84af7:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a5bd9fc8-9360-4698-a534-ca31a1a84af7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "87b1d610-7062-491f-b038-ad5bed557af6:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "87b1d610-7062-491f-b038-ad5bed557af6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4c87935a-36e5-41d2-a234-94ebf5a2fa4a:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4c87935a-36e5-41d2-a234-94ebf5a2fa4a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8904c753-8834-4c9c-994f-29568fd953a5:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8904c753-8834-4c9c-994f-29568fd953a5:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "013bf4fc-f277-4c41-ad8d-3d9cc95dfedb:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "013bf4fc-f277-4c41-ad8d-3d9cc95dfedb:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "36:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "36:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "37:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "37:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "38:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "38:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "39:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "39:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "40:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "40:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "42:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "42:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "search", - "name": "88e75800-8125-4c9e-96b8-5c36f6e91664:search_0", - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "4b793b8e-72d4-42a2-b377-1c70f0307414:search_0", - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "82d229f9-44f4-4c4b-baf7-f9673a14c87f:search_0", - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "f44255b0-d9a8-479f-be3f-829c1f6ed794:search_0", - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "9c42bff2-b295-4617-8d8c-455bd5948b66:search_0", - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268" - } - ], - "migrationVersion": { - "dashboard": "8.1.0" - }, - "coreMigrationVersion": "8.1.0" -} \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 8fb3d2012fa2..000000000000 --- a/packages/system/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,1419 +0,0 @@ -{ - "id": "system-035846a0-a249-11e9-a422-d144027429da", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-02-20T02:25:46.962Z", - "version": "WzUyMiwxXQ==", - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Logged on Administrators [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "YYYY-MM-DD HH:mm" - } - }, - "label": "Fecha - Hora ", - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "label": "Usuario", - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "number", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "label": "# Thread", - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "label": "winlog.logon.id: Descending", - "params": {} - } - ], - "metrics": [ - { - "accessor": 4, - "aggType": "count", - "format": { - "id": "number" - }, - "label": "Cantidad Eventos ", - "params": {} - } - ] - }, - "perPage": 10, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Date", - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "2020-05-20T07:35:27.496Z", - "to": "2020-05-22T00:01:10.239Z" - }, - "useNormalizedEsInterval": true - }, - "schema": "bucket", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "6", - "params": { - "customLabel": "user.name", - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "8", - "params": { - "customLabel": "# Thread", - "field": "winlog.process.thread.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "9", - "params": { - "customLabel": "LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4672" - ], - "type": "phrases", - "value": "4672" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4672" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 28, - "i": "1", - "w": 18, - "x": 0, - "y": 38 - }, - "panelIndex": "1", - "title": "Sesiones Usuarios Admin", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Administrator Users [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "legendOpen": true - } - }, - "params": { - "addLegend": true, - "addTooltip": true, - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "label": "user.name: Descending", - "params": {} - } - ], - "metric": { - "accessor": 1, - "aggType": "cardinality", - "format": { - "id": "number" - }, - "label": "Unique count of winlog.logon.id", - "params": {} - } - }, - "distinctColors": true, - "isDonut": false, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "bottom", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "type": "pie", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "field": "winlog.logon.id" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4672" - }, - "type": "phrase" - }, - "query": { - "match": { - "event.code": { - "query": "4672", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 19, - "i": "3", - "w": 18, - "x": 0, - "y": 19 - }, - "panelIndex": "3", - "title": "Usuarios Adm", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "User Logon Dashboard [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 10, - "markdown": "## **Logon Information Dashboard**", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 6, - "i": "4", - "w": 12, - "x": 0, - "y": 0 - }, - "panelIndex": "4", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 27, - "i": "10", - "w": 22, - "x": 0, - "y": 66 - }, - "panelIndex": "10", - "panelRefName": "panel_10", - "title": "Network Logon Details", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Dashboard links - Simple [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 12, - "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)" - } - } - } - } - }, - "gridData": { - "h": 6, - "i": "08245e0c-6afe-43ea-ba5f-76c3b17301fd", - "w": 36, - "x": 12, - "y": 0 - }, - "panelIndex": "08245e0c-6afe-43ea-ba5f-76c3b17301fd", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Logon Types [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "legendOpen": true - } - }, - "params": { - "addLegend": true, - "addTooltip": true, - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "label": "user.name: Descending", - "params": {} - } - ], - "metric": { - "accessor": 1, - "aggType": "cardinality", - "format": { - "id": "number" - }, - "label": "Unique count of winlog.logon.id", - "params": {} - } - }, - "distinctColors": true, - "isDonut": false, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "type": "pie", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "field": "winlog.logon.id" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "winlog.logon.type", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4624" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.code": "4624" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 19, - "i": "bbdca4de-11c5-4957-a74c-73769416a562", - "w": 12, - "x": 18, - "y": 19 - }, - "panelIndex": "bbdca4de-11c5-4957-a74c-73769416a562", - "title": "Logon Types", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Logon Sources [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "type": "tagcloud", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "source.ip", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 15 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security " - } - } - } - } - }, - "gridData": { - "h": 19, - "i": "4df66ae6-e047-47c7-b1a9-b15221eb9d90", - "w": 18, - "x": 30, - "y": 19 - }, - "panelIndex": "4df66ae6-e047-47c7-b1a9-b15221eb9d90", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 28, - "i": "454bb008-9720-455e-8ab9-b2f47d25aa4f", - "w": 19, - "x": 18, - "y": 38 - }, - "panelIndex": "454bb008-9720-455e-8ab9-b2f47d25aa4f", - "panelRefName": "panel_454bb008-9720-455e-8ab9-b2f47d25aa4f", - "title": "RDP Reconnections and Desconnections", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Logon with Explicit Credentials [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "perPage": 10, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "user.name", - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 200 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "subjectUserName", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "source.ip", - "field": "source.ip", - "json": "{\"missing\": \"::\"}", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "6", - "params": { - "customLabel": "LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4648" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.code": "4648" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 28, - "i": "baec73e7-7166-4577-9483-1252bdd8773c", - "w": 11, - "x": 37, - "y": 38 - }, - "panelIndex": "baec73e7-7166-4577-9483-1252bdd8773c", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 27, - "i": "28115147-8399-4fcd-95ce-ed0a4f4239e3", - "w": 26, - "x": 22, - "y": 66 - }, - "panelIndex": "28115147-8399-4fcd-95ce-ed0a4f4239e3", - "panelRefName": "panel_28115147-8399-4fcd-95ce-ed0a4f4239e3", - "title": "Logout Details", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Logons" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4624" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.code": "4624" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "aggType": "cardinality", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 13, - "i": "a136c9fa-5292-4249-86f3-27be07f7174f", - "w": 9, - "x": 9, - "y": 6 - }, - "panelIndex": "a136c9fa-5292-4249-86f3-27be07f7174f", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Admin Logons" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4672" - }, - "type": "phrase" - }, - "query": { - "match": { - "event.code": { - "query": "4672", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "aggType": "cardinality", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 13, - "i": "c96bc4af-1664-49ae-bccf-08639720635f", - "w": 9, - "x": 0, - "y": 6 - }, - "panelIndex": "c96bc4af-1664-49ae-bccf-08639720635f", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-15m", - "to": "now" - }, - "useNormalizedEsInterval": true, - "used_interval": "30s" - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "event.code: \"4624\" " - }, - "label": "Logon Events" - }, - { - "input": { - "language": "kuery", - "query": "event.code: \"4672\" " - }, - "label": "Admin Logons" - } - ] - }, - "schema": "group", - "type": "filters" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4624", - "4672" - ], - "type": "phrases", - "value": "4624, 4672" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4624" - } - }, - { - "match_phrase": { - "event.code": "4672" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "fittingFunction": "linear", - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": {}, - "legendPosition": "right", - "maxLegendLines": 1, - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "radiusRatio": 9, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "cardinal", - "lineWidth": 2, - "mode": "normal", - "show": true, - "showCircles": true, - "type": "line", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "truncateLegend": true, - "type": "line", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "type": "line", - "uiState": { - "vis": { - "colors": { - "Admin Logons": "#E24D42", - "Logon Events": "#447EBC" - } - } - } - } - }, - "gridData": { - "h": 13, - "i": "166d81c9-eb24-44ae-b1d7-ea496f39ce5e", - "w": 30, - "x": 18, - "y": 6 - }, - "panelIndex": "166d81c9-eb24-44ae-b1d7-ea496f39ce5e", - "title": "Logon Events Timeline", - "type": "visualization", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[System Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "references": [ - { - "id": "system-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "10:panel_10", - "type": "search" - }, - { - "id": "system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "454bb008-9720-455e-8ab9-b2f47d25aa4f:panel_454bb008-9720-455e-8ab9-b2f47d25aa4f", - "type": "search" - }, - { - "id": "system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "28115147-8399-4fcd-95ce-ed0a4f4239e3:panel_28115147-8399-4fcd-95ce-ed0a4f4239e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "a136c9fa-5292-4249-86f3-27be07f7174f:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a136c9fa-5292-4249-86f3-27be07f7174f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c96bc4af-1664-49ae-bccf-08639720635f:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c96bc4af-1664-49ae-bccf-08639720635f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "166d81c9-eb24-44ae-b1d7-ea496f39ce5e:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "166d81c9-eb24-44ae-b1d7-ea496f39ce5e:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "1:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "1:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "3:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "bbdca4de-11c5-4957-a74c-73769416a562:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "bbdca4de-11c5-4957-a74c-73769416a562:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "search", - "name": "4df66ae6-e047-47c7-b1a9-b15221eb9d90:search_0", - "id": "system-7e178c80-fee1-11e9-8405-516218e3d268" - }, - { - "type": "index-pattern", - "name": "baec73e7-7166-4577-9483-1252bdd8773c:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "baec73e7-7166-4577-9483-1252bdd8773c:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - } - ], - "migrationVersion": { - "dashboard": "8.1.0" - }, - "coreMigrationVersion": "8.1.0" -} \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 7c9f48c61859..000000000000 --- a/packages/system/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,3641 +0,0 @@ -{ - "id": "system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-02-20T02:25:46.962Z", - "version": "WzUyOCwxXQ==", - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "User Management Events - Description [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 10, - "markdown": "# **User Management Events**\n\n#### This dashboard shows information about User Management Events collected by winlogbeat\n", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 7, - "i": "1", - "w": 17, - "x": 0, - "y": 0 - }, - "panelIndex": "1", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Created - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Created User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonID", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4720" - }, - "type": "phrase", - "value": "4720" - }, - "query": { - "match": { - "event.code": { - "query": "4720", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "3", - "w": 9, - "x": 0, - "y": 55 - }, - "panelIndex": "3", - "title": "Created Users [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Enabled - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Enabled User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4722" - }, - "type": "phrase", - "value": "4722" - }, - "query": { - "match": { - "event.code": { - "query": "4722", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security " - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "5", - "w": 9, - "x": 9, - "y": 55 - }, - "panelIndex": "5", - "title": "Enabled Users [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Disabled - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Disabled User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4725" - }, - "type": "phrase", - "value": "4725" - }, - "query": { - "match": { - "event.code": { - "query": "4725", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "6", - "w": 9, - "x": 0, - "y": 80 - }, - "panelIndex": "6", - "title": "Disabled Users [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Deleted - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Deleted User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performed LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4726" - }, - "type": "phrase", - "value": "4726" - }, - "query": { - "match": { - "event.code": { - "query": "4726", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "7", - "w": 9, - "x": 18, - "y": 55 - }, - "panelIndex": "7", - "title": "Deleted Users [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Password Changes - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Password Change to", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4723", - "4724" - ], - "type": "phrases", - "value": "4723, 4724" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "9", - "w": 9, - "x": 18, - "y": 80 - }, - "panelIndex": "9", - "title": "Passwords Changes [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Unlocked Users - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Unlocked User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer Logonid", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4767" - }, - "type": "phrase", - "value": "4767" - }, - "query": { - "match": { - "event.code": { - "query": "4767", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "15", - "w": 9, - "x": 9, - "y": 80 - }, - "panelIndex": "15", - "title": "Unlocked Users [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Changes Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Changed User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4738" - }, - "type": "phrase", - "value": "4738" - }, - "query": { - "match": { - "event.code": { - "query": "4738", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "16", - "w": 9, - "x": 18, - "y": 105 - }, - "panelIndex": "16", - "title": "Users Changes [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Locked Out - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Locked User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4740" - }, - "type": "phrase", - "value": "4740" - }, - "query": { - "match": { - "event.code": { - "query": "4740", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "20", - "w": 9, - "x": 0, - "y": 105 - }, - "panelIndex": "20", - "title": "Locked-out Users [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 48, - "i": "22", - "w": 21, - "x": 27, - "y": 73 - }, - "panelIndex": "22", - "panelRefName": "panel_22", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 19, - "i": "23", - "w": 48, - "x": 0, - "y": 121 - }, - "panelIndex": "23", - "panelRefName": "panel_23", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Users Renamed - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 3, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 10, - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Old User Name", - "field": "winlog.event_data.OldTargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Performed by", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Performer LogonId", - "field": "winlog.logon.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4781" - }, - "type": "phrase", - "value": "4781" - }, - "query": { - "match": { - "event.code": { - "query": "4781", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 16, - "i": "25", - "w": 9, - "x": 9, - "y": 105 - }, - "panelIndex": "25", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Dashboard links - Simple [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 12, - "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)" - } - } - } - } - }, - "gridData": { - "h": 7, - "i": "20adcb1b-cebf-4a75-9bc4-eaeeee626c5e", - "w": 31, - "x": 17, - "y": 0 - }, - "panelIndex": "20adcb1b-cebf-4a75-9bc4-eaeeee626c5e", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "colors": { - "added-user-account": "#0A437C", - "deleted-user-account": "#82B5D8", - "enabled-user-account": "#0A50A1", - "modified-user-account": "#052B51", - "renamed-user-account": "#1F78C1", - "reset-password": "#5195CE" - }, - "enhancements": {}, - "vis": { - "colors": { - "added-user-account": "#0A437C", - "deleted-user-account": "#82B5D8", - "disabled-user-account": "#BADFF4", - "enabled-user-account": "#0A50A1", - "modified-user-account": "#052B51", - "renamed-user-account": "#1F78C1", - "reset-password": "#5195CE" - } - }, - "savedVis": { - "title": "User Management Actions [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": false, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "type": "pie", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 15 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 19, - "i": "8aad73ff-37b1-487a-a3f1-b80b93618ac4", - "w": 18, - "x": 0, - "y": 7 - }, - "panelIndex": "8aad73ff-37b1-487a-a3f1-b80b93618ac4", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "User Event Actions - Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "perPage": 10, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "event.action", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 25 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "event.code", - "field": "event.code", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 19, - "i": "18cc78ac-3f77-4f54-b351-cb94873cae3f", - "w": 14, - "x": 18, - "y": 7 - }, - "panelIndex": "18cc78ac-3f77-4f54-b351-cb94873cae3f", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Target Users [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "type": "tagcloud", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 19, - "i": "75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d", - "w": 16, - "x": 32, - "y": 7 - }, - "panelIndex": "75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "vis": null, - "savedVis": { - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "addLegend": true, - "addTooltip": true, - "colorSchema": "Blues", - "colorsNumber": 4, - "colorsRange": [], - "enableHover": false, - "invertColors": false, - "legendPosition": "right", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": true - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] - }, - "type": "heatmap", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Target User", - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "group", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 20, - "i": "f443b5b0-ada7-426f-ae2f-46573f94f24f", - "w": 48, - "x": 0, - "y": 26 - }, - "panelIndex": "f443b5b0-ada7-426f-ae2f-46573f94f24f", - "title": "Actions performed over Users [Windows System Security]", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "colors": { - "added-user-account": "#0A437C", - "deleted-user-account": "#82B5D8", - "disabled-user-account": "#BADFF4", - "enabled-user-account": "#0A50A1", - "modified-user-account": "#2F575E", - "renamed-user-account": "#1F78C1", - "reset-password": "#5195CE" - }, - "enhancements": {}, - "vis": { - "colors": { - "added-user-account": "#0A437C", - "deleted-user-account": "#82B5D8", - "disabled-user-account": "#BADFF4", - "enabled-user-account": "#0A50A1", - "modified-user-account": "#2F575E", - "renamed-user-account": "#1F78C1", - "reset-password": "#5195CE", - "unlocked-user-account": "#0A437C" - } - }, - "savedVis": { - "title": "Event Distribution in time [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "type": "histogram", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-7d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 15 - }, - "schema": "group", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 27, - "i": "820c0311-d378-49dc-a614-e0fed2254603", - "w": 21, - "x": 27, - "y": 46 - }, - "panelIndex": "820c0311-d378-49dc-a614-e0fed2254603", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Created" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4720" - }, - "type": "phrase", - "value": "4720" - }, - "query": { - "match": { - "event.code": { - "query": "4720", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "b781019d-5141-4d37-ac37-95e94f611cbe", - "w": 9, - "x": 0, - "y": 46 - }, - "panelIndex": "b781019d-5141-4d37-ac37-95e94f611cbe", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Enabled", - "field": "user.name" - }, - "schema": "metric", - "type": "cardinality" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4722" - }, - "type": "phrase", - "value": "4722" - }, - "query": { - "match": { - "event.code": { - "query": "4722", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "47d080a1-d76c-427c-8bfb-e7a330a1b2b3", - "w": 9, - "x": 9, - "y": 46 - }, - "panelIndex": "47d080a1-d76c-427c-8bfb-e7a330a1b2b3", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Deleted Users" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4726" - }, - "type": "phrase", - "value": "4726" - }, - "query": { - "match": { - "event.code": { - "query": "4726", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "8097773c-bf3e-44d4-a926-4f01fdc830b6", - "w": 9, - "x": 18, - "y": 46 - }, - "panelIndex": "8097773c-bf3e-44d4-a926-4f01fdc830b6", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Disabled Users", - "field": "user.name" - }, - "schema": "metric", - "type": "cardinality" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4725" - }, - "type": "phrase", - "value": "4725" - }, - "query": { - "match": { - "event.code": { - "query": "4725", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "cb49bdcd-aba2-4d75-8650-9fc59aaaab52", - "w": 9, - "x": 0, - "y": 71 - }, - "panelIndex": "cb49bdcd-aba2-4d75-8650-9fc59aaaab52", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Password Changes" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4723", - "4724" - ], - "type": "phrases", - "value": "4723, 4724" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "191dd86f-cdfd-4062-82c6-a18f73fc6e5a", - "w": 9, - "x": 18, - "y": 71 - }, - "panelIndex": "191dd86f-cdfd-4062-82c6-a18f73fc6e5a", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Unlocks" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4767" - ], - "type": "phrases", - "value": "4767" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4767" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "f70f1e1a-0a9c-4053-b289-670b639cf550", - "w": 9, - "x": 9, - "y": 71 - }, - "panelIndex": "f70f1e1a-0a9c-4053-b289-670b639cf550", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Users Locked Out" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4740" - ], - "type": "phrases", - "value": "4740" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4740" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "c88bf086-b79a-4ad5-821d-0980de37bd18", - "w": 9, - "x": 0, - "y": 96 - }, - "panelIndex": "c88bf086-b79a-4ad5-821d-0980de37bd18", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Renamed Users" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4781" - ], - "type": "phrases", - "value": "4781" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4781" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "25537b25-b09e-4984-a447-38b88d9a857e", - "w": 9, - "x": 9, - "y": 96 - }, - "panelIndex": "25537b25-b09e-4984-a447-38b88d9a857e", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Changes in Users" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4738" - ], - "type": "phrases", - "value": "4738" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4738" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "dimensions": { - "metrics": [ - { - "accessor": 0, - "format": { - "id": "number", - "params": {} - }, - "type": "vis_dimension" - } - ] - }, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000, - "type": "range" - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 9, - "i": "ffb72cfa-d533-4314-936e-56646aa4994d", - "w": 9, - "x": 18, - "y": 96 - }, - "panelIndex": "ffb72cfa-d533-4314-936e-56646aa4994d", - "title": "", - "type": "visualization", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[System Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "references": [ - { - "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "22:panel_22", - "type": "search" - }, - { - "id": "system-324686c0-fefb-11e9-8405-516218e3d268", - "name": "23:panel_23", - "type": "search" - }, - { - "id": "logs-*", - "name": "b781019d-5141-4d37-ac37-95e94f611cbe:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b781019d-5141-4d37-ac37-95e94f611cbe:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47d080a1-d76c-427c-8bfb-e7a330a1b2b3:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47d080a1-d76c-427c-8bfb-e7a330a1b2b3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8097773c-bf3e-44d4-a926-4f01fdc830b6:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8097773c-bf3e-44d4-a926-4f01fdc830b6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb49bdcd-aba2-4d75-8650-9fc59aaaab52:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb49bdcd-aba2-4d75-8650-9fc59aaaab52:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "191dd86f-cdfd-4062-82c6-a18f73fc6e5a:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "191dd86f-cdfd-4062-82c6-a18f73fc6e5a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f70f1e1a-0a9c-4053-b289-670b639cf550:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f70f1e1a-0a9c-4053-b289-670b639cf550:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c88bf086-b79a-4ad5-821d-0980de37bd18:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c88bf086-b79a-4ad5-821d-0980de37bd18:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "25537b25-b09e-4984-a447-38b88d9a857e:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "25537b25-b09e-4984-a447-38b88d9a857e:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ffb72cfa-d533-4314-936e-56646aa4994d:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ffb72cfa-d533-4314-936e-56646aa4994d:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "3:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "5:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "5:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "6:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "7:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "9:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "15:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "15:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "16:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "16:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "20:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "20:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "25:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "25:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "search", - "name": "8aad73ff-37b1-487a-a3f1-b80b93618ac4:search_0", - "id": "system-324686c0-fefb-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "18cc78ac-3f77-4f54-b351-cb94873cae3f:search_0", - "id": "system-324686c0-fefb-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d:search_0", - "id": "system-324686c0-fefb-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "f443b5b0-ada7-426f-ae2f-46573f94f24f:search_0", - "id": "system-324686c0-fefb-11e9-8405-516218e3d268" - }, - { - "type": "search", - "name": "820c0311-d378-49dc-a614-e0fed2254603:search_0", - "id": "system-324686c0-fefb-11e9-8405-516218e3d268" - } - ], - "migrationVersion": { - "dashboard": "8.1.0" - }, - "coreMigrationVersion": "8.1.0" -} \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f56307277dbe..000000000000 --- a/packages/system/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,1769 +0,0 @@ -{ - "id": "system-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-02-20T02:25:46.962Z", - "version": "WzUzNSwxXQ==", - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": false - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Failed Logon and Account Lockout [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 10, - "markdown": "### **Failed Logons and Account Lockouts**", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 7, - "i": "1", - "w": 14, - "x": 0, - "y": 0 - }, - "panelIndex": "1", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "colors": { - "Failed Logins": "#EF843C", - "Failed Logons": "#E24D42", - "Successful Login": "#B7DBAB", - "Successful Logon": "#9AC48A" - }, - "enhancements": {}, - "legendOpen": true, - "vis": { - "colors": { - "Failed Logins": "#EF843C", - "Failed Logons": "#BF1B00", - "Successful Login": "#B7DBAB", - "Successful Logon": "#9AC48A" - }, - "legendOpen": true - }, - "savedVis": { - "title": "Logon Successful vs Failed [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "colors": { - "Failed Logins": "#EF843C", - "Failed Logons": "#EA6460", - "Successful Login": "#B7DBAB", - "Successful Logon": "#B7DBAB" - } - } - }, - "params": { - "addLegend": true, - "addTooltip": true, - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "filters", - "format": {}, - "params": {} - } - ], - "metric": { - "accessor": 1, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - }, - "distinctColors": true, - "isDonut": false, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "bottom", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "type": "pie", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "filters": [ - { - "input": { - "language": "lucene", - "query": "event.code: 4624" - }, - "label": "Successful Logon" - }, - { - "input": { - "language": "lucene", - "query": "event.code: 4625" - }, - "label": "Failed Logons" - } - ] - }, - "schema": "segment", - "type": "filters" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 18, - "i": "2", - "w": 12, - "x": 0, - "y": 7 - }, - "panelIndex": "2", - "title": "Login Successful vs Failed", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Blocked Accounts Tag [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "bucket": { - "accessor": 0, - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "type": "vis_dimension" - }, - "maxFontSize": 53, - "metric": { - "accessor": 1, - "format": { - "id": "string", - "params": {} - }, - "type": "vis_dimension" - }, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "type": "tagcloud", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "winlog.event_data.TargetUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4740" - }, - "type": "phrase" - }, - "query": { - "match": { - "event.code": { - "query": "4740", - "type": "phrase" - } - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security " - } - } - } - } - }, - "gridData": { - "h": 21, - "i": "3", - "w": 11, - "x": 12, - "y": 35 - }, - "panelIndex": "3", - "title": "Blocked Acoounts", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "colors": { - "Login Failed": "#F9934E", - "Login OK": "#9AC48A", - "Logon Failed": "#E24D42", - "Logon Successful": "#9AC48A" - }, - "enhancements": {}, - "legendOpen": true, - "vis": { - "colors": { - "Login Failed": "#F9934E", - "Login OK": "#9AC48A", - "Logon Failed": "#BF1B00", - "Logon Successful": "#9AC48A" - }, - "legendOpen": true - }, - "savedVis": { - "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "colors": { - "Login Failed": "#F9934E", - "Login OK": "#9AC48A", - "Logon Failed": "#EF843C", - "Logon Successful": "#9AC48A" - } - } - }, - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "filters", - "format": {}, - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "HH:mm" - } - }, - "params": { - "bounds": { - "max": "2019-07-16T14:30:11.515Z", - "min": "2019-07-16T12:30:11.514Z" - }, - "date": true, - "format": "HH:mm", - "interval": "PT1M" - } - }, - "y": [ - { - "accessor": 2, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "bottom", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "mode": "stacked", - "show": "true", - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "type": "histogram", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "2020-05-17T09:37:55.995Z", - "to": "2020-05-22T03:09:27.260Z" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "filters": [ - { - "input": { - "language": "lucene", - "query": "event.code: 4624" - }, - "label": "Logon Successful" - }, - { - "input": { - "language": "lucene", - "query": "event.code: 4625" - }, - "label": "Logon Failed" - } - ] - }, - "schema": "group", - "type": "filters" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 18, - "i": "4", - "w": 23, - "x": 12, - "y": 7 - }, - "panelIndex": "4", - "title": "Logon Successful and Failed Over time", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Logon Failed Acconts [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "bucket": { - "accessor": 0, - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "type": "vis_dimension" - }, - "maxFontSize": 37, - "metric": { - "accessor": 1, - "format": { - "id": "string", - "params": {} - }, - "type": "vis_dimension" - }, - "minFontSize": 15, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "type": "tagcloud", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4625", - "4771" - ], - "type": "phrases", - "value": "4625, 4771" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4625" - } - }, - { - "match_phrase": { - "event.code": "4771" - } - } - ] - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 21, - "i": "5", - "w": 12, - "x": 0, - "y": 35 - }, - "panelIndex": "5", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "vis": { - "defaultColors": { - "0 - 5": "rgb(255,245,240)", - "10 - 15": "rgb(252,138,106)", - "15 - 20": "rgb(241,68,50)", - "20 - 24": "rgb(188,20,26)", - "5 - 10": "rgb(253,202,181)" - }, - "legendOpen": false - }, - "savedVis": { - "title": "Failed Logon HeatMap [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "defaultColors": { - "0 - 4": "rgb(255,255,204)", - "12 - 16": "rgb(252,91,46)", - "16 - 20": "rgb(212,16,32)", - "4 - 8": "rgb(254,225,135)", - "8 - 12": "rgb(254,171,73)" - } - } - }, - "params": { - "addLegend": true, - "addTooltip": false, - "colorSchema": "Yellow to Red", - "colorsNumber": 5, - "colorsRange": [], - "dimensions": { - "series": [ - { - "accessor": 1, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "YYYY-MM-DD HH:mm" - } - }, - "label": "@timestamp per hour", - "params": {} - } - ], - "x": { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "label": "user.name: Descending", - "params": {} - }, - "y": [ - { - "accessor": 2, - "aggType": "count", - "format": { - "id": "number" - }, - "label": "Count", - "params": {} - } - ] - }, - "enableHover": true, - "invertColors": false, - "legendPosition": "bottom", - "percentageMode": false, - "setColorRange": false, - "times": [], - "type": "heatmap", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "color": "black", - "overwriteColor": false, - "rotate": 0, - "show": true - }, - "scale": { - "defaultYExtents": false, - "type": "linear" - }, - "show": false, - "type": "value" - } - ] - }, - "type": "heatmap", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 15 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "drop_partials": true, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "h", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "2020-05-17T09:37:55.995Z", - "to": "2020-05-22T03:09:27.260Z" - }, - "useNormalizedEsInterval": true - }, - "schema": "group", - "type": "date_histogram" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4625" - ], - "type": "phrases", - "value": "4625" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4625" - } - } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 30, - "i": "6", - "w": 48, - "x": 0, - "y": 56 - }, - "panelIndex": "6", - "title": "Logon Failed (Time Mosaic View)", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 20, - "i": "8", - "w": 48, - "x": 0, - "y": 86 - }, - "panelIndex": "8", - "panelRefName": "panel_8", - "title": "Logon Failed and Account Lockouts", - "type": "search", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Logon Failed Source IP [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "bucket": { - "accessor": 0, - "format": { - "id": "terms", - "params": { - "id": "ip", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other", - "parsedUrl": { - "basePath": "/s/siem", - "origin": "https://192.168.1.72:5601", - "pathname": "/s/siem/app/kibana" - } - } - }, - "type": "vis_dimension" - }, - "maxFontSize": 38, - "metric": { - "accessor": 1, - "format": { - "id": "string", - "params": {} - }, - "type": "vis_dimension" - }, - "minFontSize": 10, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "type": "tagcloud", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "source.ip", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4625" - }, - "type": "phrase" - }, - "query": { - "match": { - "event.code": { - "query": "4625", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 18, - "i": "10", - "w": 13, - "x": 35, - "y": 7 - }, - "panelIndex": "10", - "title": "Logon Failed Source IPs", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Logon Failed Table [Windows System Security]", - "description": "", - "uiState": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "params": { - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "date_histogram", - "format": { - "id": "date", - "params": { - "pattern": "YYYY-MM-DD HH:mm" - } - }, - "params": {} - }, - { - "accessor": 1, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 2, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 3, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "ip", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - }, - { - "accessor": 4, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metrics": [ - { - "accessor": 5, - "aggType": "count", - "format": { - "id": "number" - }, - "params": {} - } - ] - }, - "perPage": 15, - "percentageCol": "", - "showMetricsAtAllLevels": false, - "showPartialRows": false, - "showToolbar": true, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "type": "table", - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Time Bucket", - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "h", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "2020-05-17T09:37:55.995Z", - "to": "2020-05-22T03:09:27.260Z" - }, - "useNormalizedEsInterval": true - }, - "schema": "bucket", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "user.name", - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 1000 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "source workstation", - "field": "source.domain", - "json": "{\"missing\": \"N/A\"}", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "5", - "params": { - "customLabel": "source.ip", - "field": "source.ip", - "json": "{\"missing\": \"::\"}", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "6", - "params": { - "customLabel": "event.action", - "field": "event.action", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "7", - "params": { - "customLabel": "winlog.logon.type", - "field": "winlog.logon.type", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "8", - "params": { - "customLabel": "winlog.event_data.SubjectUserName", - "field": "winlog.event_data.SubjectUserName", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4625" - }, - "type": "phrase" - }, - "query": { - "match": { - "event.code": { - "query": "4625", - "type": "phrase" - } - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - } - } - }, - "gridData": { - "h": 31, - "i": "11", - "w": 25, - "x": 23, - "y": 25 - }, - "panelIndex": "11", - "title": "Failed Logins Table", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Dashboard links - Simple [Windows System Security]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 12, - "markdown": "[Windows Overview](#/dashboard/system-Windows-Dashboard) | [User Logon Information](#/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/system-bb858830-f412-11e9-8405-516218e3d268)", - "openLinksInNewTab": false - }, - "type": "markdown", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)" - } - } - } - } - }, - "gridData": { - "h": 7, - "i": "a79ee89f-ff45-486c-9788-9446d39456c2", - "w": 34, - "x": 14, - "y": 0 - }, - "panelIndex": "a79ee89f-ff45-486c-9788-9446d39456c2", - "title": "", - "type": "visualization", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Blocked Accounts", - "field": "user.name" - }, - "schema": "metric", - "type": "cardinality" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4740" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.code": "4740" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 10, - "i": "3a53621a-8308-48cc-a5a5-828ba8b6c9ac", - "w": 11, - "x": 12, - "y": 25 - }, - "panelIndex": "3a53621a-8308-48cc-a5a5-828ba8b6c9ac", - "title": "", - "type": "visualization", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Failed Logons" - }, - "schema": "metric", - "type": "count" - } - ], - "searchSource": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4625" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.code": "4625" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - } - } - }, - "description": "", - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "type": "metric", - "uiState": {} - } - }, - "gridData": { - "h": 10, - "i": "78671aa0-2649-4e4b-a601-e4b179b3e738", - "w": 12, - "x": 0, - "y": 25 - }, - "panelIndex": "78671aa0-2649-4e4b-a601-e4b179b3e738", - "title": "", - "type": "visualization", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "references": [ - { - "id": "system-757510b0-a87f-11e9-a422-d144027429da", - "name": "8:panel_8", - "type": "search" - }, - { - "id": "logs-*", - "name": "3a53621a-8308-48cc-a5a5-828ba8b6c9ac:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a53621a-8308-48cc-a5a5-828ba8b6c9ac:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "78671aa0-2649-4e4b-a601-e4b179b3e738:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "78671aa0-2649-4e4b-a601-e4b179b3e738:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "78671aa0-2649-4e4b-a601-e4b179b3e738:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "type": "index-pattern", - "name": "2:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "2:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "3:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "4:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "4:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "5:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "5:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "6:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "6:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "10:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "10:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "10:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "11:kibanaSavedObjectMeta.searchSourceJSON.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "11:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "id": "logs-*" - }, - { - "type": "index-pattern", - "name": "11:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "id": "logs-*" - } - ], - "migrationVersion": { - "dashboard": "8.1.0" - }, - "coreMigrationVersion": "8.1.0" -} \ No newline at end of file diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 43f732a0aa05..28269e08b0e3 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.25.0 +version: 1.25.1 license: basic description: Collect system logs and metrics from your servers with Elastic Agent. type: integration