System Integration Dashboards (Classic)¶
Comprehensive monitoring dashboards for the Elastic System integration.
Overview¶
These dashboards provide monitoring for Linux/Unix systems, Windows systems, and Windows security events using the Elastic Agent System integration.
Note: Based on the Elastic integrations repository dashboards. Licensed under Elastic License 2.0.
Dashboards¶
Metrics Dashboards¶
| Dashboard | File | Description |
|---|---|---|
| Metrics Overview | 01-metrics-overview.yaml |
Overview of system metrics across all monitored hosts |
| Host Details | 02-host-details.yaml |
Detailed metrics for individual hosts |
Log Dashboards¶
| Dashboard | File | Description |
|---|---|---|
| Syslog | 03-syslog.yaml |
System log analysis and monitoring |
| Sudo Commands | 04-sudo-commands.yaml |
Privileged command execution tracking |
| SSH Logins | 05-ssh-logins.yaml |
SSH authentication monitoring |
| Users & Groups | 06-users-groups.yaml |
User and group management events |
Windows Security Dashboards¶
| Dashboard | File | Description |
|---|---|---|
| Windows Overview | 07-windows-overview.yaml |
Windows security event overview |
| Windows Logons | 08-windows-logons.yaml |
Windows authentication events |
| Windows Failed & Blocked | 09-windows-failed-blocked.yaml |
Failed and blocked access attempts |
| Windows User Management | 10-windows-user-management.yaml |
User account management events |
| Windows Group Management | 11-windows-group-management.yaml |
Group management events |
| Windows Directory Monitoring | 12-windows-directory-monitoring.yaml |
Active Directory monitoring |
| Windows System Process | 13-windows-system-process.yaml |
System process events |
| Windows Policy Object | 14-windows-policy-object.yaml |
Group Policy object changes |
Dashboard Definitions¶
Metrics Overview (01-metrics-overview.yaml)
---
dashboards:
- id: system-metrics-overview
name: '[Metrics System] Overview'
description: Overview of system metrics
filters:
- field: data_stream.dataset
in:
- system.process
- system.fsstat
- system.cpu
- system.memory
- system.network
- system.load
controls:
- type: options
label: Host name
data_view: metrics-*
field: host.name
panels:
- title: System Overview
hide_title: true
size: {w: 48, h: 3}
markdown:
content: |
# System overview
View metrics for all monitored hosts. Use the Host name control to filter by specific hosts.
- title: Total Hosts
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: unique_count
field: host.name
label: Total Hosts
- title: Inbound Traffic
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.network.in.bytes
label: Inbound
format:
type: bytes
filters:
- field: data_stream.dataset
equals: system.network
- title: System Overview Table
size: {w: 48, h: 20}
lens:
type: datatable
data_view: metrics-*
breakdowns:
- id: host
type: values
field: host.name
size: 100
metrics:
- id: max-cpu
aggregation: max
field: system.cpu.total.norm.pct
label: Max CPU
format:
type: percent
- id: avg-memory
aggregation: average
field: system.memory.actual.used.pct
label: Avg Memory
format:
type: percent
- id: avg-inbound
aggregation: average
field: system.network.in.bytes
label: Avg Inbound
format:
type: bytes
- id: avg-outbound
aggregation: average
field: system.network.out.bytes
label: Avg Outbound
format:
type: bytes
paging:
enabled: true
page_size: 10
- title: CPU Usage (%)
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.cpu.total.norm.pct
label: CPU %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.cpu
- title: Memory Usage (%)
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.memory.actual.used.pct
label: Memory %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.memory
- title: Outbound Traffic
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.network.out.bytes
label: Outbound
format:
type: bytes
filters:
- field: data_stream.dataset
equals: system.network
- title: Disk Usage (%)
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.filesystem.used.pct
label: Disk %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.fsstat
- title: Load Average (5m)
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.load.5
label: Load 5m
filters:
- field: data_stream.dataset
equals: system.load
- title: Number of CPUs
size: {w: 12, h: 7}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: max
field: system.cpu.cores
label: CPUs
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: system.cpu
Host Details (02-host-details.yaml)
---
dashboards:
- id: system-host-overview
name: '[Metrics System] Host overview'
description: Overview of host metrics
filters:
- field: data_stream.dataset
in:
- system.cpu
- system.diskio
- system.fsstat
- system.load
- system.memory
- system.network
- system.process
- system.process.summary
- system.socket_summary
- system.uptime
controls:
- type: options
label: host.name
data_view: metrics-*
field: host.name
panels:
- title: System Navigation
hide_title: true
size: {w: 48, h: 3}
markdown:
content: |
### [System overview](system-metrics-overview)
- title: CPU Usage
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.cpu.total.norm.pct
label: CPU %
format:
type: percent
- title: Memory Usage
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.memory.actual.used.pct
label: Memory %
format:
type: percent
- title: Disk I/O
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.diskio.read.bytes
label: Read
format:
type: bytes
- title: Inbound Traffic
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.network.in.bytes
label: Inbound
format:
type: bytes
- title: Outbound Traffic
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.network.out.bytes
label: Outbound
format:
type: bytes
- title: Load Average
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.load.1
label: Load 1m
- title: Disk Write I/O
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.diskio.write.bytes
label: Write
format:
type: bytes
- title: Max Disk Usage
size: {w: 8, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: max
field: system.filesystem.used.pct
label: Max Disk %
format:
type: percent
- title: CPU
hide_title: true
size: {w: 48, h: 2}
markdown:
content: |
## CPU
- title: Top processes by CPU usage
size: {w: 24, h: 12}
lens:
type: datatable
data_view: metrics-*
breakdowns:
- id: process-name
type: values
field: system.process.name
size: 10
metrics:
- id: avg-cpu
aggregation: average
field: system.process.cpu.total.norm.pct
label: CPU %
format:
type: percent
paging:
enabled: true
page_size: 10
- title: CPU usage over time
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.cpu.total.norm.pct
label: CPU %
format:
type: percent
- title: System load
size: {w: 48, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.load.1
label: 1 min
- aggregation: average
field: system.load.5
label: 5 min
- aggregation: average
field: system.load.15
label: 15 min
- title: Memory
hide_title: true
size: {w: 48, h: 2}
markdown:
content: |
## Memory
- title: Top processes by memory usage
size: {w: 24, h: 12}
lens:
type: datatable
data_view: metrics-*
breakdowns:
- id: process-name
type: values
field: system.process.name
size: 10
metrics:
- id: avg-memory
aggregation: average
field: system.process.memory.rss.pct
label: Memory %
format:
type: percent
paging:
enabled: true
page_size: 10
- title: Memory usage over time
size: {w: 24, h: 12}
lens:
type: area
mode: stacked
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.memory.actual.used.bytes
label: Used
format:
type: bytes
- aggregation: average
field: system.memory.actual.free
label: Free
format:
type: bytes
- title: Network
hide_title: true
size: {w: 48, h: 2}
markdown:
content: |
## Network
- title: Inbound traffic
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.network.in.bytes
label: Inbound
format:
type: bytes
breakdown:
type: values
field: system.network.name
size: 5
- title: Outbound traffic
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.network.out.bytes
label: Outbound
format:
type: bytes
breakdown:
type: values
field: system.network.name
size: 5
- title: Disk I/O
hide_title: true
size: {w: 48, h: 2}
markdown:
content: |
## Disk I/O
- title: Disk read throughput
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.diskio.read.bytes
label: Read
format:
type: bytes
- title: Disk write throughput
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.diskio.write.bytes
label: Write
format:
type: bytes
- title: Filesystem
hide_title: true
size: {w: 48, h: 2}
markdown:
content: |
## Filesystem
- title: Filesystem usage by mount point
size: {w: 24, h: 12}
lens:
type: bar
mode: percentage
data_view: metrics-*
dimension:
type: values
field: system.filesystem.mount_point
size: 10
metrics:
- aggregation: average
field: system.filesystem.used.bytes
label: Used
format:
type: bytes
- title: Filesystem usage over time
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.filesystem.used.pct
label: Usage %
format:
type: percent
breakdown:
type: values
field: system.filesystem.mount_point
size: 5
Syslog (03-syslog.yaml)
---
dashboards:
- id: system-syslog-dashboard
name: '[Logs System] Syslog dashboard'
description: Syslog dashboard from the Logs System integration
filters:
- field: data_stream.dataset
equals: system.syslog
panels:
- title: Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Syslog
dashboard: system-syslog-dashboard
- label: Sudo commands
dashboard: system-sudo-commands
- label: SSH logins
dashboard: system-ssh-logins
- label: New users and groups
dashboard: system-users-groups
- title: Syslog events by hostname
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: host.hostname
size: 10
- title: Syslog hostnames and processes
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
- type: values
field: system.syslog.program
size: 10
metrics:
- aggregation: count
- title: Recent Syslog Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: program
type: values
field: system.syslog.program
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Sudo Commands (04-sudo-commands.yaml)
---
dashboards:
- id: system-sudo-commands
name: '[Logs System] Sudo commands'
description: Sudo commands from the System integration
filters:
- exists: system.auth.sudo.command
panels:
- title: Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Syslog
dashboard: system-syslog-dashboard
- label: Sudo commands
dashboard: system-sudo-commands
- label: SSH logins
dashboard: system-ssh-logins
- label: New users and groups
dashboard: system-users-groups
- title: Sudo commands over time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Commands
breakdown:
type: values
field: system.auth.sudo.user
size: 10
- title: Sudo users
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: system.auth.sudo.user
size: 10
metrics:
- aggregation: count
- title: Recent Sudo Commands
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: user
type: values
field: system.auth.sudo.user
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
SSH Logins (05-ssh-logins.yaml)
---
dashboards:
- id: system-ssh-logins
name: '[Logs System] SSH login attempts'
description: SSH login attempts from the System integration
filters:
- exists: system.auth.ssh.event
panels:
- title: Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Syslog
dashboard: system-syslog-dashboard
- label: Sudo commands
dashboard: system-sudo-commands
- label: SSH logins
dashboard: system-ssh-logins
- label: New users and groups
dashboard: system-users-groups
- title: SSH login attempts over time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Attempts
breakdown:
type: values
field: system.auth.ssh.event
size: 10
- title: SSH events
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: system.auth.ssh.event
size: 10
metrics:
- aggregation: count
- title: SSH users
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: user.name
size: 10
metrics:
- aggregation: count
- title: SSH methods
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: system.auth.ssh.method
size: 10
metrics:
- aggregation: count
- title: Recent SSH Login Attempts
size: {w: 48, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event
type: values
field: system.auth.ssh.event
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Users & Groups (06-users-groups.yaml)
---
dashboards:
- id: system-users-groups
name: '[Logs System] User and Group Management'
description: User and group management events from the System integration
filters:
- field: event.module
equals: system
- field: event.category
equals: iam
panels:
- title: Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Syslog
dashboard: system-syslog-dashboard
- label: Sudo commands
dashboard: system-sudo-commands
- label: SSH logins
dashboard: system-ssh-logins
- title: User and group events over time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: event.action
size: 10
- title: Event actions
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: event.action
size: 10
metrics:
- aggregation: count
- title: Hosts
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
- title: Users
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: user.name
size: 10
metrics:
- aggregation: count
- title: Recent User and Group Events
size: {w: 48, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
label: Timestamp
- id: hostname
type: values
field: host.hostname
label: Host
- id: action
type: values
field: event.action
label: Action
- id: user
type: values
field: user.name
label: User
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows Overview (07-windows-overview.yaml)
---
dashboards:
- id: system-windows-overview
name: '[System] Windows Overview'
description: Overview of Windows system events
filters:
- field: event.module
equals: system
- field: host.os.platform
equals: windows
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: Failed Accounts
dashboard: system-windows-failed-blocked
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- label: Directory Monitoring
dashboard: system-windows-directory-monitoring
- label: System & Process
dashboard: system-windows-system-process
- label: Policy & Object
dashboard: system-windows-policy-object
- title: Windows Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
- title: Event IDs
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
- title: Hosts
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
- title: Event Actions
size: {w: 16, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: event.action
size: 10
metrics:
- aggregation: count
- title: Recent Windows Events
size: {w: 48, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: action
type: values
field: event.action
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows Logons (08-windows-logons.yaml)
---
dashboards:
- id: system-windows-logons
name: '[System Windows Security] User Logons'
description: Windows user logon events
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4624'
- '4625'
- '4634'
- '4647'
- '4648'
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: Failed Accounts
dashboard: system-windows-failed-blocked
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- label: Directory Monitoring
dashboard: system-windows-directory-monitoring
- label: System & Process
dashboard: system-windows-system-process
- label: Policy & Object
dashboard: system-windows-policy-object
- title: Logon Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
- title: Total Logon Attempts
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Attempts
filters:
- field: winlog.event_id
in:
- '4624'
- '4625'
- title: Successful Logons
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Successful
filters:
- field: winlog.event_id
equals: '4624'
- field: event.outcome
equals: success
- title: Failed Logons
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Failed
filters:
- field: winlog.event_id
equals: '4625'
- title: Logoffs
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Logoffs
filters:
- field: winlog.event_id
in:
- '4634'
- '4647'
- title: Logon Types
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.logon.type
size: 10
metrics:
- aggregation: count
- title: Top Users
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: user.name
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
- title: Logon by Source IP
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: source-ip
type: values
field: source.ip
size: 20
metrics:
- id: event-count
aggregation: count
label: Events
paging:
enabled: true
page_size: 10
- title: Recent Logon Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows Failed & Blocked (09-windows-failed-blocked.yaml)
---
dashboards:
- id: system-windows-failed-blocked
name: '[System Windows Security] Failed and Blocked Accounts'
description: Windows failed logon attempts and blocked accounts
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4625'
- '4740'
- '4767'
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: Failed Accounts
dashboard: system-windows-failed-blocked
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- title: Failed and Blocked Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
- title: Failed Logons (4625)
size: {w: 16, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Failed Logons
filters:
- field: winlog.event_id
equals: '4625'
- title: Account Lockouts (4740)
size: {w: 16, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Lockouts
filters:
- field: winlog.event_id
equals: '4740'
- title: Account Unlocks (4767)
size: {w: 16, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Unlocks
filters:
- field: winlog.event_id
equals: '4767'
- title: Failed Logon Reasons
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_data.SubStatus
size: 10
metrics:
- aggregation: count
filters:
- field: winlog.event_id
equals: '4625'
- title: Top Failed Users
size: {w: 24, h: 15}
lens:
type: bar
data_view: logs-*
dimension:
type: values
field: user.name
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
filters:
- field: winlog.event_id
equals: '4625'
- title: Failed Logons by Source IP
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: source-ip
type: values
field: source.ip
size: 20
metrics:
- id: failed-count
aggregation: count
label: Failed Attempts
paging:
enabled: true
page_size: 10
filters:
- field: winlog.event_id
equals: '4625'
- title: Recent Failed and Blocked Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows User Management (10-windows-user-management.yaml)
---
dashboards:
- id: system-windows-user-management
name: '[System Windows Security] User Management Events'
description: Windows user account management events
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4720'
- '4722'
- '4723'
- '4724'
- '4725'
- '4726'
- '4738'
- '4740'
- '4765'
- '4766'
- '4767'
- '4780'
- '4781'
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: Failed Accounts
dashboard: system-windows-failed-blocked
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- title: User Management Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 15
- title: User Created (4720)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Created
filters:
- field: winlog.event_id
equals: '4720'
- title: User Enabled (4722)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Enabled
filters:
- field: winlog.event_id
equals: '4722'
- title: User Disabled (4725)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Disabled
filters:
- field: winlog.event_id
equals: '4725'
- title: User Deleted (4726)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Deleted
filters:
- field: winlog.event_id
equals: '4726'
- title: Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 15
metrics:
- aggregation: count
- title: Affected Users
size: {w: 24, h: 15}
lens:
type: bar
data_view: logs-*
dimension:
type: values
field: winlog.event_data.TargetUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
- title: User Management by Actor
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: actor
type: values
field: winlog.event_data.SubjectUserName
size: 20
metrics:
- id: event-count
aggregation: count
label: Events
paging:
enabled: true
page_size: 10
- title: Recent User Management Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows Group Management (11-windows-group-management.yaml)
---
dashboards:
- id: system-windows-group-management
name: '[System Windows Security] Group Management Events'
description: Windows security group management events
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4727'
- '4728'
- '4729'
- '4730'
- '4731'
- '4732'
- '4733'
- '4734'
- '4735'
- '4737'
- '4754'
- '4755'
- '4756'
- '4757'
- '4758'
- '4759'
- '4760'
- '4761'
- '4762'
- '4763'
- '4764'
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- label: Directory Monitoring
dashboard: system-windows-directory-monitoring
- title: Group Management Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 20
- title: Group Created
size: {w: 10, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Created
filters:
- field: winlog.event_id
in:
- '4727'
- '4731'
- '4754'
- '4759'
- title: Member Added
size: {w: 10, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Added
filters:
- field: winlog.event_id
in:
- '4728'
- '4732'
- '4756'
- '4761'
- title: Group Modified
size: {w: 8, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Modified
filters:
- field: winlog.event_id
in:
- '4735'
- '4737'
- '4755'
- '4760'
- '4764'
- title: Member Removed
size: {w: 10, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Removed
filters:
- field: winlog.event_id
in:
- '4729'
- '4733'
- '4757'
- '4762'
- title: Group Deleted
size: {w: 10, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Deleted
filters:
- field: winlog.event_id
in:
- '4730'
- '4734'
- '4758'
- '4763'
- title: Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 20
metrics:
- aggregation: count
- title: Affected Groups
size: {w: 24, h: 15}
lens:
type: bar
data_view: logs-*
dimension:
type: values
field: winlog.event_data.TargetUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
- title: Group Management by Actor
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: actor
type: values
field: winlog.event_data.SubjectUserName
size: 20
metrics:
- id: event-count
aggregation: count
label: Events
paging:
enabled: true
page_size: 10
- title: Recent Group Management Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows Directory Monitoring (12-windows-directory-monitoring.yaml)
---
dashboards:
- id: system-windows-directory-monitoring
name: '[System Windows Security] Directory & Account Monitoring'
description: Windows Active Directory and account monitoring events
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4742'
- '4743'
- '4768'
- '4769'
- '4770'
- '4771'
- '4772'
- '4776'
- '4777'
- '4778'
- '4779'
- '4782'
- '4783'
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: Failed Accounts
dashboard: system-windows-failed-blocked
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- label: Directory Monitoring
dashboard: system-windows-directory-monitoring
- label: System & Process
dashboard: system-windows-system-process
- title: Directory Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 15
- title: Computer Account Changes (4742)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Changes
filters:
- field: winlog.event_id
equals: '4742'
- title: Kerberos TGT Requests (4768)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: TGT Requests
filters:
- field: winlog.event_id
equals: '4768'
- title: Kerberos Service Tickets (4769)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Service Tickets
filters:
- field: winlog.event_id
equals: '4769'
- title: Credential Validation (4776)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Validations
filters:
- field: winlog.event_id
equals: '4776'
- title: Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 15
metrics:
- aggregation: count
- title: Top Accounts
size: {w: 24, h: 15}
lens:
type: bar
data_view: logs-*
dimension:
type: values
field: winlog.event_data.TargetUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
filters:
- field: winlog.event_id
in:
- '4742'
- '4743'
- '4768'
- '4769'
- '4770'
- '4771'
- '4772'
- '4776'
- title: Events by Source
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: source-ip
type: values
field: source.ip
size: 20
metrics:
- id: event-count
aggregation: count
label: Events
paging:
enabled: true
page_size: 10
- title: Recent Directory Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
label: Time
- id: event-id
type: values
field: winlog.event_id
label: Event ID
- id: user
type: values
field: user.name
label: User
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows System Process (13-windows-system-process.yaml)
---
dashboards:
- id: system-windows-system-process
name: '[System Windows Security] System & Process Activity'
description: Windows system and process activity events
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '1102'
- '4608'
- '4609'
- '4610'
- '4611'
- '4614'
- '4616'
- '4618'
- '4688'
- '4689'
- '4697'
- '5024'
- '5025'
- '5033'
- '5059'
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: Failed Accounts
dashboard: system-windows-failed-blocked
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- label: Directory Monitoring
dashboard: system-windows-directory-monitoring
- label: Policy & Object
dashboard: system-windows-policy-object
- title: System & Process Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 15
- title: Audit Log Cleared (1102)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Log Clears
filters:
- field: winlog.event_id
equals: '1102'
- title: Process Created (4688)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Created
filters:
- field: winlog.event_id
equals: '4688'
- title: Process Terminated (4689)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Terminated
filters:
- field: winlog.event_id
equals: '4689'
- title: Service Installed (4697)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Installed
filters:
- field: winlog.event_id
equals: '4697'
- title: Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 15
metrics:
- aggregation: count
- title: Top Processes
size: {w: 24, h: 15}
lens:
type: bar
data_view: logs-*
dimension:
type: values
field: process.name
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
filters:
- field: winlog.event_id
in:
- '4688'
- '4689'
- title: Process Activity by User
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: username
type: values
field: user.name
size: 20
sort:
by: process-count
direction: desc
metrics:
- id: process-count
aggregation: count
label: Process Events
paging:
enabled: true
page_size: 10
filters:
- field: winlog.event_id
equals: '4688'
- title: Recent System & Process Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Windows Policy Object (14-windows-policy-object.yaml)
---
dashboards:
- id: system-windows-policy-object
name: '[System Windows Security] Policy & Object Monitoring'
description: Windows policy changes and object access monitoring events
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4103'
- '4104'
- '4615'
- '4618'
- '4657'
- '4663'
- '4670'
- '4698'
- '4699'
- '4700'
- '4701'
- '4702'
- '4719'
- '4817'
- '4902'
- '4904'
- '4905'
- '4906'
- '4907'
- '4912'
- '4950'
- '4954'
- '4956'
- '4957'
- '4958'
panels:
- title: Windows Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Windows Overview
dashboard: system-windows-overview
- label: User Logons
dashboard: system-windows-logons
- label: Failed Accounts
dashboard: system-windows-failed-blocked
- label: User Management
dashboard: system-windows-user-management
- label: Group Management
dashboard: system-windows-group-management
- label: Directory Monitoring
dashboard: system-windows-directory-monitoring
- label: System & Process
dashboard: system-windows-system-process
- title: Policy & Object Events Over Time
size: {w: 48, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 25
- title: Audit Policy Changes (4719)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Changes
filters:
- field: winlog.event_id
equals: '4719'
- title: Registry Value Modified (4657)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Modified
filters:
- field: winlog.event_id
equals: '4657'
- title: Object Access (4663)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Accesses
filters:
- field: winlog.event_id
equals: '4663'
- title: Task Scheduled (4698)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Tasks
filters:
- field: winlog.event_id
equals: '4698'
- title: Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 15
metrics:
- aggregation: count
- title: Top Users
size: {w: 24, h: 15}
lens:
type: bar
data_view: logs-*
dimension:
type: values
field: user.name
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
- title: Object Types Accessed
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_data.ObjectType
size: 10
metrics:
- aggregation: count
filters:
- field: winlog.event_id
in:
- '4657'
- '4663'
- '4670'
- title: Recent Policy & Object Events
size: {w: 24, h: 15}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 20
Prerequisites¶
- Elastic Agent: With System integration configured
- Kibana: Version 8.x or later
Data Requirements¶
- Data view:
metrics-*(for metrics),logs-*(for logs) - Data stream datasets:
system.cpu,system.memory,system.network,system.filesystem,system.process,system.load,system.fsstat,system.syslog,system.auth
Related¶
See also: System Modern Dashboards for dashboards with modern UX patterns.