System Integration Dashboards (Modern)¶
Modern monitoring dashboards for the Elastic System integration with progressive disclosure patterns.
Overview¶
These dashboards provide the same functionality as the classic System dashboards but redesigned with modern UX patterns.
Note: Based on the Elastic integrations repository dashboards. Licensed under Elastic License 2.0.
Dashboards¶
Metrics Dashboards¶
| Dashboard | File | Description |
|---|---|---|
| Metrics Overview | 01-metrics-overview.yaml |
Modern overview of system metrics across all monitored hosts |
| Host Details | 02-host-details.yaml |
Detailed metrics for individual hosts |
Log Dashboards¶
| Dashboard | File | Description |
|---|---|---|
| Syslog | 03-syslog.yaml |
System log analysis and monitoring |
| Sudo Commands | 04-sudo-commands.yaml |
Privileged command execution tracking |
| SSH Logins | 05-ssh-logins.yaml |
SSH authentication monitoring |
| Users & Groups | 06-users-groups.yaml |
User and group management events |
Windows Security Dashboards¶
| Dashboard | File | Description |
|---|---|---|
| Windows Overview | 07-windows-overview.yaml |
Windows security event overview |
| Windows Logons | 08-windows-logons.yaml |
Windows authentication events |
| Windows Failed & Blocked | 09-windows-failed-blocked.yaml |
Failed and blocked access attempts |
| Windows User Management | 10-windows-user-management.yaml |
User account management events |
| Windows Group Management | 11-windows-group-management.yaml |
Group management events |
| Windows Directory Monitoring | 12-windows-directory-monitoring.yaml |
Active Directory monitoring |
| Windows System Process | 13-windows-system-process.yaml |
System process events |
| Windows Policy Object | 14-windows-policy-object.yaml |
Group Policy object changes |
Dashboard Definitions¶
Metrics Overview (01-metrics-overview.yaml)
---
# Modern System Metrics Overview Dashboard
# Following Dashboard Style Guide best practices:
# - 4-layer hierarchy: Context → Summary → Analysis → Detail
# - Progressive disclosure from overview to detail
# - Charts preferred over standalone metrics
# - Cursor synchronization enabled
# - Proper time configuration
dashboards:
- id: system-modern-metrics-overview
name: '[Metrics System] Overview'
description: >-
Modern overview of system metrics across all monitored hosts.
Navigate to host details for deeper analysis.
filters:
- field: data_stream.dataset
in:
- system.cpu
- system.memory
- system.network
- system.filesystem
- system.process
controls:
- type: options
label: Host
data_view: metrics-*
field: host.name
panels:
# Context Layer - Navigation
- title: System Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Metrics Overview
dashboard: system-modern-metrics-overview
- label: Host Details
dashboard: system-modern-host-details
- label: Syslog
dashboard: system-modern-syslog
- label: Sudo Commands
dashboard: system-modern-sudo-commands
- label: SSH Logins
dashboard: system-modern-ssh-logins
- label: Users & Groups
dashboard: system-modern-users-groups
# Summary Layer - Key Metrics (limited to 4)
- title: Total Hosts
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: unique_count
field: host.name
label: Hosts
- title: Average CPU Utilization
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.cpu.total.norm.pct
label: CPU
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.cpu
- title: Average Memory Usage
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.memory.actual.used.pct
label: Memory
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.memory
- title: Average Disk Usage
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.filesystem.used.pct
label: Disk
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.filesystem
# Analysis Layer - Time Series Charts
- title: CPU Utilization Over Time
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.cpu.total.norm.pct
label: CPU %
format:
type: percent
breakdown:
type: values
field: host.name
size: 5
filters:
- field: data_stream.dataset
equals: system.cpu
- title: Memory Usage Over Time
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.memory.actual.used.pct
label: Memory %
format:
type: percent
breakdown:
type: values
field: host.name
size: 5
filters:
- field: data_stream.dataset
equals: system.memory
- title: Network Traffic Over Time
size: {w: 48, h: 12}
lens:
type: area
mode: stacked
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.network.in.bytes
label: Inbound
format:
type: bytes
- aggregation: average
field: system.network.out.bytes
label: Outbound
format:
type: bytes
filters:
- field: data_stream.dataset
equals: system.network
# Detail Layer - Host Summary Table
- title: Host Performance Summary
size: {w: 48, h: 20}
description: Click a host name to view detailed metrics
lens:
type: datatable
data_view: metrics-*
breakdowns:
- id: hostname
type: values
field: host.name
size: 100
metrics:
- id: cpu-max
aggregation: max
field: system.cpu.total.norm.pct
label: Max CPU %
format:
type: percent
- id: cpu-avg
aggregation: average
field: system.cpu.total.norm.pct
label: Avg CPU %
format:
type: percent
- id: mem-avg
aggregation: average
field: system.memory.actual.used.pct
label: Avg Memory %
format:
type: percent
- id: net-in
aggregation: average
field: system.network.in.bytes
label: Avg Inbound
format:
type: bytes
- id: net-out
aggregation: average
field: system.network.out.bytes
label: Avg Outbound
format:
type: bytes
paging:
enabled: true
page_size: 10
Host Details (02-host-details.yaml)
---
# Modern System Host Details Dashboard
# Following Dashboard Style Guide best practices:
# - Sectioned layout with markdown headers for organization
# - Performance metrics use line charts (not pie charts)
# - Paired charts for comparison (read/write, in/out)
# - Tables for process-level detail
# - Host filter control for single-host focus
dashboards:
- id: system-modern-host-details
name: '[Metrics System] Host Details'
description: >-
Detailed performance metrics for a specific host.
Use the host filter to select a host for analysis.
filters:
- field: data_stream.dataset
in:
- system.cpu
- system.diskio
- system.filesystem
- system.load
- system.memory
- system.network
- system.process
- system.socket_summary
- system.uptime
controls:
- type: options
label: Host
data_view: metrics-*
field: host.name
panels:
# Context Layer - Navigation
- title: System Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Metrics Overview
dashboard: system-modern-metrics-overview
- label: Host Details
dashboard: system-modern-host-details
- label: Syslog
dashboard: system-modern-syslog
- label: Sudo Commands
dashboard: system-modern-sudo-commands
- label: SSH Logins
dashboard: system-modern-ssh-logins
- label: Users & Groups
dashboard: system-modern-users-groups
# Summary Layer - Key Host Metrics (4 metrics max)
- title: CPU
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.cpu.total.norm.pct
label: CPU %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.cpu
- title: Memory
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.memory.actual.used.pct
label: Memory %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.memory
- title: Disk Usage
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: max
field: system.filesystem.used.pct
label: Max Disk %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.filesystem
- title: Load Average
size: {w: 12, h: 4}
lens:
type: metric
data_view: metrics-*
primary:
aggregation: average
field: system.load.1
label: 1 min
filters:
- field: data_stream.dataset
equals: system.load
# CPU Section
- title: CPU Performance
hide_title: true
size: {w: 48, h: 2}
markdown:
content: '## CPU Performance'
font_size: 14
- title: CPU Utilization Over Time
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.cpu.total.norm.pct
label: Total
format:
type: percent
- aggregation: average
field: system.cpu.user.norm.pct
label: User
format:
type: percent
- aggregation: average
field: system.cpu.system.norm.pct
label: System
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.cpu
- title: System Load Over Time
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.load.1
label: 1 min
- aggregation: average
field: system.load.5
label: 5 min
- aggregation: average
field: system.load.15
label: 15 min
filters:
- field: data_stream.dataset
equals: system.load
# Memory Section
- title: Memory Performance
hide_title: true
size: {w: 48, h: 2}
markdown:
content: '## Memory'
font_size: 14
- title: Memory Usage Over Time
size: {w: 24, h: 12}
lens:
type: area
mode: stacked
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.memory.actual.used.bytes
label: Used
format:
type: bytes
- aggregation: average
field: system.memory.actual.free
label: Free
format:
type: bytes
filters:
- field: data_stream.dataset
equals: system.memory
- title: Memory Utilization Percentage
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.memory.actual.used.pct
label: Used %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.memory
# Network Section
- title: Network Performance
hide_title: true
size: {w: 48, h: 2}
markdown:
content: '## Network'
font_size: 14
- title: Network Traffic - Inbound
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.network.in.bytes
label: Bytes In
format:
type: bytes
breakdown:
type: values
field: system.network.name
size: 5
filters:
- field: data_stream.dataset
equals: system.network
- title: Network Traffic - Outbound
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.network.out.bytes
label: Bytes Out
format:
type: bytes
breakdown:
type: values
field: system.network.name
size: 5
filters:
- field: data_stream.dataset
equals: system.network
# Disk I/O Section
- title: Disk I/O
hide_title: true
size: {w: 48, h: 2}
markdown:
content: '## Disk I/O'
font_size: 14
- title: Disk Read Throughput
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.diskio.read.bytes
label: Read
format:
type: bytes
filters:
- field: data_stream.dataset
equals: system.diskio
- title: Disk Write Throughput
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.diskio.write.bytes
label: Write
format:
type: bytes
filters:
- field: data_stream.dataset
equals: system.diskio
# Filesystem Section
- title: Filesystem
hide_title: true
size: {w: 48, h: 2}
markdown:
content: '## Filesystem'
font_size: 14
- title: Filesystem Usage by Mount Point
size: {w: 24, h: 12}
lens:
type: bar
mode: stacked
data_view: metrics-*
dimension:
type: values
field: system.filesystem.mount_point
size: 10
metrics:
- aggregation: average
field: system.filesystem.used.pct
label: Used %
format:
type: percent
filters:
- field: data_stream.dataset
equals: system.filesystem
- title: Filesystem Usage Over Time
size: {w: 24, h: 12}
lens:
type: line
data_view: metrics-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: average
field: system.filesystem.used.pct
label: Usage %
format:
type: percent
breakdown:
type: values
field: system.filesystem.mount_point
size: 5
filters:
- field: data_stream.dataset
equals: system.filesystem
# Processes Section - Detail Layer
- title: Processes
hide_title: true
size: {w: 48, h: 2}
markdown:
content: '## Top Processes'
font_size: 14
- title: Top Processes by CPU
size: {w: 24, h: 15}
lens:
type: datatable
data_view: metrics-*
breakdowns:
- id: process-name
type: values
field: system.process.name
size: 10
metrics:
- id: avg-cpu
aggregation: average
field: system.process.cpu.total.norm.pct
label: Avg CPU %
format:
type: percent
- id: max-cpu
aggregation: max
field: system.process.cpu.total.norm.pct
label: Max CPU %
format:
type: percent
paging:
enabled: true
page_size: 10
filters:
- field: data_stream.dataset
equals: system.process
- title: Top Processes by Memory
size: {w: 24, h: 15}
lens:
type: datatable
data_view: metrics-*
breakdowns:
- id: process-name
type: values
field: system.process.name
size: 10
metrics:
- id: avg-memory
aggregation: average
field: system.process.memory.rss.pct
label: Avg Memory %
format:
type: percent
- id: max-memory
aggregation: max
field: system.process.memory.rss.pct
label: Max Memory %
format:
type: percent
paging:
enabled: true
page_size: 10
filters:
- field: data_stream.dataset
equals: system.process
Syslog (03-syslog.yaml)
---
# Modern System Syslog Dashboard
# Following Dashboard Style Guide best practices:
# - Security/log dashboard pattern: events over time → categories → top users → log table
# - Area chart for event volume with breakdown
# - Horizontal bar for top programs (long labels)
# - Multi-level pie chart for hierarchical host/program distribution
# - Full-width table at bottom for drill-down
dashboards:
- id: system-modern-syslog
name: '[Logs System] Syslog'
description: >-
Syslog events analysis with host and program breakdowns.
Filter by host or program to focus analysis.
filters:
- field: data_stream.dataset
equals: system.syslog
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Program
data_view: logs-*
field: system.syslog.program
panels:
# Context Layer - Navigation
- title: System Log Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Metrics Overview
dashboard: system-modern-metrics-overview
- label: Syslog
dashboard: system-modern-syslog
- label: Sudo Commands
dashboard: system-modern-sudo-commands
- label: SSH Logins
dashboard: system-modern-ssh-logins
- label: Users & Groups
dashboard: system-modern-users-groups
# Summary Layer - Key Metrics (2 metrics for logs)
- title: Total Events
size: {w: 16, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Unique Hosts
size: {w: 16, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: host.hostname
label: Hosts
- title: Unique Programs
size: {w: 16, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: system.syslog.program
label: Programs
# Analysis Layer - Time Series
- title: Syslog Events Over Time
size: {w: 48, h: 12}
lens:
type: area
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: host.hostname
size: 10
# Analysis Layer - Categorical Breakdowns
- title: Top Programs
size: {w: 24, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: system.syslog.program
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
- title: Events by Priority
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: log.syslog.priority
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Facility
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: log.syslog.facility.name
size: 10
metrics:
- aggregation: count
label: Events
# Analysis Layer - Hierarchical View
- title: Host and Program Distribution
size: {w: 48, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
- type: values
field: system.syslog.program
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Event Log Table
- title: Recent Syslog Events
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: program
type: values
field: system.syslog.program
- id: message
type: values
field: message
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Sudo Commands (04-sudo-commands.yaml)
---
# Modern System Sudo Commands Dashboard
# Following Dashboard Style Guide best practices:
# - Security dashboard pattern: overview → trends → top users → audit log
# - Stacked bar for command trends by user
# - Horizontal bar for top users (better for names)
# - Donut chart for command distribution
# - Full audit table at bottom
dashboards:
- id: system-modern-sudo-commands
name: '[Logs System] Sudo Commands'
description: >-
Sudo command execution analysis with user and command breakdowns.
Monitor privileged command usage across systems.
filters:
- exists: system.auth.sudo.command
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Sudo User
data_view: logs-*
field: system.auth.sudo.user
panels:
# Context Layer - Navigation
- title: System Log Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Metrics Overview
dashboard: system-modern-metrics-overview
- label: Syslog
dashboard: system-modern-syslog
- label: Sudo Commands
dashboard: system-modern-sudo-commands
- label: SSH Logins
dashboard: system-modern-ssh-logins
- label: Users & Groups
dashboard: system-modern-users-groups
# Summary Layer - Key Security Metrics
- title: Total Commands
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Commands
- title: Unique Users
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: system.auth.sudo.user
label: Users
- title: Unique Hosts
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: host.hostname
label: Hosts
- title: Unique Commands
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: system.auth.sudo.command
label: Commands
# Analysis Layer - Time Series
- title: Sudo Commands Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Commands
breakdown:
type: values
field: system.auth.sudo.user
size: 10
# Analysis Layer - Categorical Breakdowns
- title: Top Sudo Users
size: {w: 24, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: system.auth.sudo.user
size: 10
sort:
by: Commands
direction: desc
metrics:
- aggregation: count
label: Commands
breakdown:
type: values
field: host.hostname
size: 5
- title: Commands by User
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: system.auth.sudo.user
size: 10
metrics:
- aggregation: count
label: Commands
- title: Commands by Host
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Commands
# Analysis Layer - Command Analysis
- title: User and Host Distribution
size: {w: 48, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
- type: values
field: system.auth.sudo.user
size: 10
metrics:
- aggregation: count
label: Commands
# Detail Layer - Audit Log Table
- title: Sudo Command Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: user
type: values
field: system.auth.sudo.user
- id: command
type: values
field: system.auth.sudo.command
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
SSH Logins (05-ssh-logins.yaml)
---
# Modern System SSH Logins Dashboard
# Following Dashboard Style Guide best practices:
# - Security dashboard pattern: overview → trends → breakdowns → audit log
# - Success/failure metrics for quick status
# - Source IP analysis via stacked bar chart
# - Stacked bar for event types over time
# - Detailed audit table at bottom
dashboards:
- id: system-modern-ssh-logins
name: '[Logs System] SSH Logins'
description: >-
SSH authentication analysis with success/failure tracking.
Monitor login attempts, users, and source locations.
filters:
- exists: system.auth.ssh.event
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: SSH Event
data_view: logs-*
field: system.auth.ssh.event
- type: options
label: User
data_view: logs-*
field: user.name
panels:
# Context Layer - Navigation
- title: System Log Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Metrics Overview
dashboard: system-modern-metrics-overview
- label: Syslog
dashboard: system-modern-syslog
- label: Sudo Commands
dashboard: system-modern-sudo-commands
- label: SSH Logins
dashboard: system-modern-ssh-logins
- label: Users & Groups
dashboard: system-modern-users-groups
# Summary Layer - Key Security Metrics
- title: Total Attempts
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Attempts
- title: Accepted Logins
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Accepted
filters:
- field: system.auth.ssh.event
equals: Accepted
- title: Failed Logins
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Failed
filters:
- field: system.auth.ssh.event
equals: Failed
- title: Unique Users
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: user.name
label: Users
# Analysis Layer - Time Series
- title: SSH Login Attempts Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Attempts
breakdown:
type: values
field: system.auth.ssh.event
size: 10
# Analysis Layer - Categorical Breakdowns
- title: SSH Event Types
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: system.auth.ssh.event
size: 10
metrics:
- aggregation: count
label: Events
- title: Authentication Methods
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: system.auth.ssh.method
size: 10
metrics:
- aggregation: count
label: Attempts
- title: Top Users
size: {w: 24, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: user.name
size: 10
sort:
by: Attempts
direction: desc
metrics:
- aggregation: count
label: Attempts
breakdown:
type: values
field: system.auth.ssh.event
size: 5
# Analysis Layer - Source Analysis
- title: Login Attempts by Source IP
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: source.ip
size: 10
sort:
by: Attempts
direction: desc
metrics:
- aggregation: count
label: Attempts
breakdown:
type: values
field: system.auth.ssh.event
size: 5
- title: User and Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: system.auth.ssh.event
size: 5
- type: values
field: user.name
size: 10
metrics:
- aggregation: count
label: Attempts
# Detail Layer - Audit Log Table
- title: SSH Login Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event
type: values
field: system.auth.ssh.event
- id: user
type: values
field: user.name
- id: sourceip
type: values
field: source.ip
- id: method
type: values
field: system.auth.ssh.method
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Users & Groups (06-users-groups.yaml)
---
# Modern System Users and Groups Dashboard
# Following Dashboard Style Guide best practices:
# - IAM event analysis pattern: overview → trends → action types → audit log
# - Action-focused metrics for quick status
# - Treemap for hierarchical action/user relationships
# - Stacked bar for event trends by action
# - Detailed audit table at bottom
dashboards:
- id: system-modern-users-groups
name: '[Logs System] Users & Groups'
description: >-
Identity and access management events including user and group changes.
Monitor account creation, modification, and group membership changes.
filters:
- field: event.module
equals: system
- field: event.category
equals: iam
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Action
data_view: logs-*
field: event.action
- type: options
label: User
data_view: logs-*
field: user.name
panels:
# Context Layer - Navigation
- title: System Log Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Metrics Overview
dashboard: system-modern-metrics-overview
- label: Syslog
dashboard: system-modern-syslog
- label: Sudo Commands
dashboard: system-modern-sudo-commands
- label: SSH Logins
dashboard: system-modern-ssh-logins
- label: Users & Groups
dashboard: system-modern-users-groups
# Summary Layer - Key IAM Metrics
- title: Total Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Unique Actions
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: event.action
label: Actions
- title: Unique Users
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: user.name
label: Users
- title: Unique Hosts
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: host.hostname
label: Hosts
# Analysis Layer - Time Series
- title: User and Group Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: event.action
size: 10
# Analysis Layer - Categorical Breakdowns
- title: Event Actions
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: event.action
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Host
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by User
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: user.name
size: 10
metrics:
- aggregation: count
label: Events
# Analysis Layer - Hierarchical View
- title: Action and User Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: event.action
size: 10
- type: values
field: user.name
size: 10
metrics:
- aggregation: count
label: Events
- title: Host and Action Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
- type: values
field: event.action
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Audit Log Table
- title: User and Group Event Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: action
type: values
field: event.action
- id: user
type: values
field: user.name
- id: target-user
type: values
field: user.target.name
- id: group
type: values
field: group.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows Overview (07-windows-overview.yaml)
---
# Modern Windows Overview Dashboard
# Following Dashboard Style Guide best practices:
# - Security dashboard pattern: overview → trends → categories → audit log
# - Key security metrics at top
# - Event trends over time with breakdown
# - Category and host analysis
# - Full event table at bottom
dashboards:
- id: system-modern-windows-overview
name: '[Logs System] Windows Overview'
description: >-
Overview of Windows security events across all monitored hosts.
Navigate to specialized dashboards for detailed analysis.
filters:
- field: event.module
equals: system
- field: host.os.platform
equals: windows
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Event Code
data_view: logs-*
field: event.code
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Metrics
- title: Total Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Unique Event Codes
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: event.code
label: Event Codes
- title: Unique Hosts
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: host.hostname
label: Hosts
- title: Unique Users
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: user.name
label: Users
# Analysis Layer - Time Series
- title: Windows Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: event.code
size: 10
# Analysis Layer - Categorical Breakdowns
- title: Top Event Codes
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: event.code
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Host
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
- title: Event Actions
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: event.action
size: 10
metrics:
- aggregation: count
label: Events
# Analysis Layer - Host and Event Distribution
- title: Event Distribution by Host
size: {w: 48, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
- type: values
field: event.code
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Event Log Table
- title: Recent Windows Events
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-code
type: values
field: event.code
- id: action
type: values
field: event.action
- id: user
type: values
field: user.name
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows Logons (08-windows-logons.yaml)
---
# Modern Windows User Logons Dashboard
# Following Dashboard Style Guide best practices:
# - Security dashboard pattern: metrics → trends → breakdowns → audit log
# - Success/failure tracking for security insight
# - Logon type analysis (interactive, network, service, etc.)
# - User and source IP analysis
# - Detailed audit table at bottom
dashboards:
- id: system-modern-windows-logons
name: '[Logs System] Windows Logons'
description: >-
Windows user logon event analysis including success/failure tracking.
Monitor authentication patterns and identify suspicious activity.
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4624'
- '4625'
- '4634'
- '4647'
- '4648'
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: User
data_view: logs-*
field: user.name
- type: options
label: Logon Type
data_view: logs-*
field: winlog.logon.type
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Logon Metrics
- title: Total Logon Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Successful Logons
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Successful
filters:
- field: winlog.event_id
equals: '4624'
- title: Failed Logons
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Failed
filters:
- field: winlog.event_id
equals: '4625'
- title: Logoffs
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Logoffs
filters:
- field: winlog.event_id
in:
- '4634'
- '4647'
# Analysis Layer - Time Series
- title: Logon Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
# Analysis Layer - Categorical Breakdowns
- title: Logon Types
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.logon.type
size: 10
metrics:
- aggregation: count
label: Events
- title: Event Distribution
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
- title: Top Users
size: {w: 16, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: user.name
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
# Analysis Layer - Source Analysis
- title: Logons by Source IP
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: source.ip
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 5
- title: User and Logon Type Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.logon.type
size: 10
- type: values
field: user.name
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Audit Log Table
- title: Logon Event Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
- id: logon-type
type: values
field: winlog.logon.type
- id: source-ip
type: values
field: source.ip
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows Failed & Blocked (09-windows-failed-blocked.yaml)
---
# Modern Windows Failed and Blocked Accounts Dashboard
# Following Dashboard Style Guide best practices:
# - Security incident focused: failed attempts and blocked accounts
# - Clear failure reason analysis
# - User and source IP tracking for investigation
# - Detailed audit table for forensics
dashboards:
- id: system-modern-windows-failed-blocked
name: '[Logs System] Windows Failed & Blocked'
description: >-
Windows failed logon attempts and blocked account events.
Monitor authentication failures and account lockouts.
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4625'
- '4740'
- '4767'
- '4771'
- '4776'
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: User
data_view: logs-*
field: user.name
- type: options
label: Failure Reason
data_view: logs-*
field: winlog.logon.failure.reason
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Security Metrics
- title: Total Failed Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Failed Logons (4625)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Failed Logons
filters:
- field: winlog.event_id
equals: '4625'
- title: Account Lockouts (4740)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Lockouts
filters:
- field: winlog.event_id
equals: '4740'
- title: Unique Affected Users
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: user.name
label: Users
# Analysis Layer - Time Series
- title: Failed Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
# Analysis Layer - Failure Analysis
- title: Failure Reasons
size: {w: 24, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.logon.failure.reason
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Type
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
- title: Target Hosts
size: {w: 12, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
# Analysis Layer - User and Source Analysis
- title: Top Failed Users
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: user.name
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 5
- title: Source IP Analysis
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: source.ip
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.logon.failure.reason
size: 5
# Detail Layer - Audit Log Table
- title: Failed Event Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: user
type: values
field: user.name
- id: failure-reason
type: values
field: winlog.logon.failure.reason
- id: source-ip
type: values
field: source.ip
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows User Management (10-windows-user-management.yaml)
---
# Modern Windows User Management Dashboard
# Following Dashboard Style Guide best practices:
# - IAM event analysis: user creation, modification, deletion
# - Action-focused metrics for quick status
# - User and administrator tracking
# - Detailed audit table at bottom
dashboards:
- id: system-modern-windows-user-management
name: '[Logs System] Windows User Management'
description: >-
Windows user account management events including creation, modification, and deletion.
Monitor privileged user management activities.
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4720'
- '4722'
- '4723'
- '4724'
- '4725'
- '4726'
- '4738'
- '4781'
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Target User
data_view: logs-*
field: winlog.event_data.TargetUserName
- type: options
label: Subject User
data_view: logs-*
field: winlog.event_data.SubjectUserName
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Metrics
- title: Total Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Users Created (4720)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Created
filters:
- field: winlog.event_id
equals: '4720'
- title: Users Deleted (4726)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Deleted
filters:
- field: winlog.event_id
equals: '4726'
- title: Password Changes (4723/4724)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Password Changes
filters:
- field: winlog.event_id
in:
- '4723'
- '4724'
# Analysis Layer - Time Series
- title: User Management Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
# Analysis Layer - Event Distribution
- title: Event Types
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Host
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
- title: Top Administrators
size: {w: 16, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.SubjectUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
# Analysis Layer - User Analysis
- title: Target Users
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.TargetUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 5
- title: Administrator and Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_data.SubjectUserName
size: 10
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Audit Log Table
- title: User Management Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: subject-user
type: values
field: winlog.event_data.SubjectUserName
- id: target-user
type: values
field: winlog.event_data.TargetUserName
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows Group Management (11-windows-group-management.yaml)
---
# Modern Windows Group Management Dashboard
# Following Dashboard Style Guide best practices:
# - Group management event analysis: creation, modification, membership
# - Privileged group tracking (Domain Admins, Administrators, etc.)
# - Administrator activity monitoring
# - Detailed audit table at bottom
dashboards:
- id: system-modern-windows-group-management
name: '[Logs System] Windows Group Management'
description: >-
Windows group management events including membership changes.
Monitor privileged group modifications and administrator activities.
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4727'
- '4728'
- '4729'
- '4730'
- '4731'
- '4732'
- '4733'
- '4734'
- '4735'
- '4737'
- '4754'
- '4755'
- '4756'
- '4757'
- '4758'
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Group Name
data_view: logs-*
field: winlog.event_data.TargetUserName
- type: options
label: Administrator
data_view: logs-*
field: winlog.event_data.SubjectUserName
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Metrics
- title: Total Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Unique Groups
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: winlog.event_data.TargetUserName
label: Groups
- title: Members Added
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Added
filters:
- field: winlog.event_id
in:
- '4728'
- '4732'
- '4756'
- title: Members Removed
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Removed
filters:
- field: winlog.event_id
in:
- '4729'
- '4733'
- '4757'
# Analysis Layer - Time Series
- title: Group Management Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
# Analysis Layer - Event Distribution
- title: Event Types
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Host
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
- title: Top Administrators
size: {w: 16, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.SubjectUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
# Analysis Layer - Group Analysis
- title: Top Modified Groups
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.TargetUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 5
- title: Group and Administrator Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_data.TargetUserName
size: 10
- type: values
field: winlog.event_data.SubjectUserName
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Audit Log Table
- title: Group Management Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: subject-user
type: values
field: winlog.event_data.SubjectUserName
- id: target-group
type: values
field: winlog.event_data.TargetUserName
- id: member
type: values
field: winlog.event_data.MemberName
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows Directory Monitoring (12-windows-directory-monitoring.yaml)
---
# Modern Windows Directory Monitoring Dashboard
# Following Dashboard Style Guide best practices:
# - Active Directory monitoring: object changes, access attempts
# - Directory service event tracking
# - Object and container analysis
# - Detailed audit table at bottom
dashboards:
- id: system-modern-windows-directory-monitoring
name: '[Logs System] Windows Directory Monitoring'
description: >-
Active Directory and directory service event monitoring.
Track object modifications and directory access events.
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4662'
- '4661'
- '5136'
- '5137'
- '5138'
- '5139'
- '5141'
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Object Type
data_view: logs-*
field: winlog.event_data.ObjectType
- type: options
label: User
data_view: logs-*
field: winlog.event_data.SubjectUserName
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Metrics
- title: Total Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Directory Service Access (4662)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Access
filters:
- field: winlog.event_id
equals: '4662'
- title: Object Modifications (5136)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Modified
filters:
- field: winlog.event_id
equals: '5136'
- title: Unique Users
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: winlog.event_data.SubjectUserName
label: Users
# Analysis Layer - Time Series
- title: Directory Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
# Analysis Layer - Event Distribution
- title: Event Types
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
- title: Object Types
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_data.ObjectType
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Host
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
# Analysis Layer - User Analysis
- title: Top Users by Activity
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.SubjectUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 5
- title: Object Type and Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_data.ObjectType
size: 10
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Audit Log Table
- title: Directory Event Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: subject-user
type: values
field: winlog.event_data.SubjectUserName
- id: object-type
type: values
field: winlog.event_data.ObjectType
- id: object-name
type: values
field: winlog.event_data.ObjectName
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows System Process (13-windows-system-process.yaml)
---
# Modern Windows System and Process Events Dashboard
# Following Dashboard Style Guide best practices:
# - System event monitoring: services, processes, scheduled tasks
# - Process creation and termination tracking
# - Service state change monitoring
# - Detailed audit table at bottom
dashboards:
- id: system-modern-windows-system-process
name: '[Logs System] Windows System & Process'
description: >-
Windows system events including process creation, service changes, and scheduled tasks.
Monitor system activity and process execution.
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4688'
- '4689'
- '4697'
- '4698'
- '4699'
- '4700'
- '4701'
- '4702'
- '7034'
- '7035'
- '7036'
- '7040'
- '7045'
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: Process Name
data_view: logs-*
field: winlog.event_data.NewProcessName
- type: options
label: User
data_view: logs-*
field: winlog.event_data.SubjectUserName
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Metrics
- title: Total Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Process Created (4688)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Created
filters:
- field: winlog.event_id
equals: '4688'
- title: Services Installed (7045)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Installed
filters:
- field: winlog.event_id
equals: '7045'
- title: Scheduled Tasks
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Tasks
filters:
- field: winlog.event_id
in:
- '4698'
- '4699'
- '4700'
- '4701'
- '4702'
# Analysis Layer - Time Series
- title: System Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
# Analysis Layer - Event Distribution
- title: Event Types
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Host
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
- title: Top Users
size: {w: 16, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.SubjectUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
# Analysis Layer - Process Analysis
- title: Top Processes
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.NewProcessName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
- title: Process and User Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_data.NewProcessName
size: 10
- type: values
field: winlog.event_data.SubjectUserName
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Audit Log Table
- title: System Event Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: subject-user
type: values
field: winlog.event_data.SubjectUserName
- id: process-name
type: values
field: winlog.event_data.NewProcessName
- id: command-line
type: values
field: winlog.event_data.CommandLine
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Windows Policy Object (14-windows-policy-object.yaml)
---
# Modern Windows Policy and Object Access Dashboard
# Following Dashboard Style Guide best practices:
# - Security policy and audit policy changes
# - Object access and permission monitoring
# - Policy modification tracking
# - Detailed audit table at bottom
dashboards:
- id: system-modern-windows-policy-object
name: '[Logs System] Windows Policy & Object'
description: >-
Windows security policy changes and object access events.
Monitor audit policy modifications and sensitive object access.
filters:
- field: event.module
equals: system
- field: winlog.event_id
in:
- '4670'
- '4703'
- '4704'
- '4705'
- '4706'
- '4707'
- '4713'
- '4715'
- '4719'
- '4817'
- '4902'
- '4904'
- '4905'
- '4906'
- '4907'
- '4912'
controls:
- type: options
label: Hostname
data_view: logs-*
field: host.hostname
- type: options
label: User
data_view: logs-*
field: winlog.event_data.SubjectUserName
panels:
# Context Layer - Navigation
- title: Windows Security Dashboards
size: {w: 48, h: 3}
links:
layout: horizontal
items:
- label: Overview
dashboard: system-modern-windows-overview
- label: Logons
dashboard: system-modern-windows-logons
- label: Failed & Blocked
dashboard: system-modern-windows-failed-blocked
- label: User Management
dashboard: system-modern-windows-user-management
- label: Group Management
dashboard: system-modern-windows-group-management
- label: Directory Monitoring
dashboard: system-modern-windows-directory-monitoring
- label: System & Process
dashboard: system-modern-windows-system-process
- label: Policy & Object
dashboard: system-modern-windows-policy-object
# Summary Layer - Key Metrics
- title: Total Events
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Events
- title: Unique Event Types
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: winlog.event_id
label: Event Types
- title: Policy Changes (4719)
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Policy Changes
filters:
- field: winlog.event_id
equals: '4719'
- title: Unique Users
size: {w: 12, h: 4}
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: winlog.event_data.SubjectUserName
label: Users
# Analysis Layer - Time Series
- title: Policy and Object Events Over Time
size: {w: 48, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 10
# Analysis Layer - Event Distribution
- title: Event Types
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
- title: Events by Host
size: {w: 16, h: 12}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
metrics:
- aggregation: count
label: Events
- title: Top Users
size: {w: 16, h: 12}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: winlog.event_data.SubjectUserName
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
# Analysis Layer - Policy Analysis
- title: Events by Category
size: {w: 24, h: 15}
lens:
type: bar
mode: stacked
data_view: logs-*
dimension:
type: values
field: event.category
size: 10
sort:
by: Events
direction: desc
metrics:
- aggregation: count
label: Events
breakdown:
type: values
field: winlog.event_id
size: 5
- title: Host and Event Distribution
size: {w: 24, h: 15}
lens:
type: pie
data_view: logs-*
breakdowns:
- type: values
field: host.hostname
size: 10
- type: values
field: winlog.event_id
size: 10
metrics:
- aggregation: count
label: Events
# Detail Layer - Audit Log Table
- title: Policy and Object Event Audit Log
size: {w: 48, h: 18}
lens:
type: datatable
data_view: logs-*
breakdowns:
- id: timestamp
field: '@timestamp'
type: date_histogram
- id: hostname
type: values
field: host.hostname
- id: event-id
type: values
field: winlog.event_id
- id: category
type: values
field: event.category
- id: subject-user
type: values
field: winlog.event_data.SubjectUserName
- id: object-name
type: values
field: winlog.event_data.ObjectName
metrics:
- id: count
aggregation: count
label: Count
paging:
enabled: true
page_size: 10
Prerequisites¶
- Elastic Agent: With System integration configured
- Kibana: Version 8.x or later
Data Requirements¶
- Data view:
metrics-*(for metrics),logs-*(for logs) - Data stream datasets:
system.cpu,system.memory,system.network,system.filesystem,system.process,system.syslog,system.auth
Related¶
See also: System Classic Dashboards for direct conversions from the Elastic integration.