-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User/Group Management Dashboards #15236
Conversation
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
@leehinman I have created a new PR only for dashboards of user and group events |
Pinging @elastic/siem (Team:SIEM) |
Add dashboards to the Winlogbeat Security module for visualizing User Management events and Group Management events. There are two versions of each dashboard - one with and without TSVB (time series visual builder) visualizations. This updates the Winlogbeat build to include the dashboards from the module directories. Add it adds winlog.event_data.MemberName to the fields.yml because it's used in the user management dashboard and should be in the fields.yml so the dashboards load without error.
jenkins, test this |
I fixed up the dashboards. The only issue with them was that the format was slightly different than what is expected for the dashboards that are checked into the repo. The ones in the repo get decoded to make diffing a little easier, then are encoded again when released in packages. I think there is a |
Looks like we hit a few linter issues. I'll try to fix them:
|
jenkins, test this |
Add dashboards to the Winlogbeat Security module for visualizing User Management events and Group Management events. There are two versions of each dashboard - one with and without TSVB (time series visual builder) visualizations. This updates the Winlogbeat build to include the dashboards from the module directories. Add it adds winlog.event_data.MemberName to the fields.yml because it's used in the user management dashboard and should be in the fields.yml so the dashboards load without error. Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit d866824)
) Add dashboards to the Winlogbeat Security module for visualizing User Management events and Group Management events. There are two versions of each dashboard - one with and without TSVB (time series visual builder) visualizations. This updates the Winlogbeat build to include the dashboards from the module directories. Add it adds winlog.event_data.MemberName to the fields.yml because it's used in the user management dashboard and should be in the fields.yml so the dashboards load without error. Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit d866824) Co-authored-by: Anabella Cristaldi <[email protected]>
"id": "4", | ||
"params": { | ||
"customLabel": "Performer LogonID", | ||
"field": "winlog.logon.id", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It appears a user from the community (Using a fresh 7.8.0 stack) noticed that winlog.logon.id does not exist in the winlogbeat-* index pattern from the setup which yields in an error message "Could not locate that index-pattern-field (id: winlog.logon.id)" when trying to edit/look at some of the new visualizations such as "Users Deleted - Table [Winlogbeat Security]"
Not sure if I follow but it looks like the index pattern is "generated" from the fields.yml and if that is true I can see why this field does not get added to the winlogbeat-* index pattern.
The fields.common.yml is missing winlog.logon.id so maybe that is why the default index pattern that gets generated may not have this field?
Slack thread here: https://elasticstack.slack.com/archives/CNEDGGJQ3/p1595052755138500
Maybe this is a case of Dashboards/Visualizations using a custom index pattern that isn't fully compliant with the default winlogbeat-* index pattern created from the setup?
If users don't get all of the event logs that would contain these fields then the index pattern would never contain this field, so maybe it is worth adding into the fields.common.yml? I just wanted to make a note of this analysis.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @nicpenning,
I don't know exactly how the winlogbeat index pattern is generated, but probably I'll need to add the field winlog.logon.id in the security module specific fields.yml file (beats\x-pack\winlogbeat\module\security_meta\fields.yml)
@andrewkroh, what do you think? Should I add this field here or in any other place?
In addition. Which is the criteria in order to add a field in the yaml? The winlog.logon.id is not the only field I've added; I can add the necessary fields.
Thank you!
Regards
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
The dashboards were imported together from beats where they co-existed after the second sets addition. The changes that added them to beats appear to have been: - elastic/beats#18775 - elastic/beats#15236
User and Group Management Events Dashboards