diff --git a/deploy/grafana/provisioning/dashboards/siem-soc-privileged.json b/deploy/grafana/provisioning/dashboards/siem-soc-privileged.json new file mode 100644 index 0000000..62878dd --- /dev/null +++ b/deploy/grafana/provisioning/dashboards/siem-soc-privileged.json @@ -0,0 +1,1006 @@ +{ + "annotations": { + "list": [] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "links": [], + "liveNow": false, + "panels": [ + { + "type": "row", + "title": "Privileged Account Overview", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "collapsed": false, + "panels": [] + }, + { + "type": "stat", + "title": "Privileged Logons 15m", + "datasource": "$datasource", + "gridPos": { + "h": 4, + "w": 4, + "x": 0, + "y": 1 + }, + "targets": [ + { + "expr": "sum(increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[15m]))", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 10 + }, + { + "color": "red", + "value": 50 + } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto" + } + }, + { + "type": "stat", + "title": "Failed Admin Logons 15m", + "datasource": "$datasource", + "gridPos": { + "h": 4, + "w": 4, + "x": 4, + "y": 1 + }, + "targets": [ + { + "expr": "sum(increase(siem_privileged_logon_failures_total{user=~\"$user\",host=~\"$host\"}[15m]))", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 1 + }, + { + "color": "red", + "value": 5 + } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto" + } + }, + { + "type": "stat", + "title": "Admin New Hosts 1h", + "datasource": "$datasource", + "gridPos": { + "h": 4, + "w": 4, + "x": 8, + "y": 1 + }, + "targets": [ + { + "expr": "sum(increase(siem_privileged_new_host_total{user=~\"$user\",host=~\"$host\"}[1h]))", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto" + } + }, + { + "type": "stat", + "title": "High/Critical Detections 1h", + "datasource": "$datasource", + "gridPos": { + "h": 4, + "w": 4, + "x": 12, + "y": 1 + }, + "targets": [ + { + "expr": "sum(increase(eventcollector_detection_hits_total{severity=~\"high|critical\"}[1h]))", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 1 + }, + { + "color": "red", + "value": 5 + } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto" + } + }, + { + "type": "stat", + "title": "Max Host Risk", + "datasource": "$datasource", + "gridPos": { + "h": 4, + "w": 4, + "x": 16, + "y": 1 + }, + "targets": [ + { + "expr": "max(eventcollector_host_risk_score{host=~\"$host\"})", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 2, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 20 + }, + { + "color": "red", + "value": 60 + } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto" + } + }, + { + "type": "stat", + "title": "Baseline Max Z-Score", + "datasource": "$datasource", + "gridPos": { + "h": 4, + "w": 4, + "x": 20, + "y": 1 + }, + "targets": [ + { + "expr": "max(eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 2, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 3 + }, + { + "color": "red", + "value": 5 + } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto" + } + }, + { + "type": "timeseries", + "title": "Privileged Logons by User", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 5 + }, + "targets": [ + { + "expr": "sum by (user) (rate(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[5m]))", + "legendFormat": "{{user}}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "eps", + "decimals": 3 + }, + "overrides": [] + }, + "options": { + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + } + }, + { + "type": "timeseries", + "title": "Failed Privileged Logons by User", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 5 + }, + "targets": [ + { + "expr": "sum by (user) (increase(siem_privileged_logon_failures_total{user=~\"$user\",host=~\"$host\"}[5m]))", + "legendFormat": "{{user}}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + } + }, + { + "type": "bargauge", + "title": "Top Admins by Logons 1h", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 13 + }, + "targets": [ + { + "expr": "topk(15, sum by (user) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h])))", + "legendFormat": "{{user}}", + "refId": "A", + "instant": true + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "displayMode": "gradient", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + } + }, + { + "type": "bargauge", + "title": "Top Hosts with Admin Activity 1h", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 13 + }, + "targets": [ + { + "expr": "topk(15, sum by (host) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h])))", + "legendFormat": "{{host}}", + "refId": "A", + "instant": true + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "displayMode": "gradient", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + } + }, + { + "type": "bargauge", + "title": "Top Admin New Hosts 24h", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 13 + }, + "targets": [ + { + "expr": "topk(15, sum by (user,host) (increase(siem_privileged_new_host_total{user=~\"$user\",host=~\"$host\"}[24h])))", + "legendFormat": "{{user}} → {{host}}", + "refId": "A", + "instant": true + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "displayMode": "gradient", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + } + }, + { + "type": "row", + "title": "SOC Risk & Detections", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 21 + }, + "collapsed": false, + "panels": [] + }, + { + "type": "bargauge", + "title": "Top Host Risk Scores", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 22 + }, + "targets": [ + { + "expr": "topk(20, eventcollector_host_risk_score{host=~\"$host\"})", + "legendFormat": "{{host}} / {{severity}}", + "refId": "A", + "instant": true + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 1 + }, + "overrides": [] + }, + "options": { + "displayMode": "gradient", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + } + }, + { + "type": "bargauge", + "title": "Top Detection Rules 24h", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 22 + }, + "targets": [ + { + "expr": "topk(20, sum by (rule,severity) (increase(eventcollector_detection_hits_total{rule=~\"$rule\",severity=~\"$severity\"}[24h])))", + "legendFormat": "{{rule}} / {{severity}}", + "refId": "A", + "instant": true + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "displayMode": "gradient", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + } + }, + { + "type": "bargauge", + "title": "Top Baseline Z-Scores", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 22 + }, + "targets": [ + { + "expr": "topk(20, eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})", + "legendFormat": "{{host}}", + "refId": "A", + "instant": true + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 2 + }, + "overrides": [] + }, + "options": { + "displayMode": "gradient", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + } + }, + { + "type": "timeseries", + "title": "Detection Hits by Severity", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 30 + }, + "targets": [ + { + "expr": "sum by (severity) (increase(eventcollector_detection_hits_total{severity=~\"$severity\",rule=~\"$rule\"}[5m]))", + "legendFormat": "{{severity}}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + } + }, + { + "type": "timeseries", + "title": "Baseline Current vs Average", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 30 + }, + "targets": [ + { + "expr": "eventcollector_baseline_current_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}", + "legendFormat": "current {{host}} {{channel}} {{event_id}}", + "refId": "A" + }, + { + "expr": "eventcollector_baseline_avg_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}", + "legendFormat": "avg {{host}} {{channel}} {{event_id}}", + "refId": "B" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 2 + }, + "overrides": [] + }, + "options": { + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + } + }, + { + "type": "row", + "title": "Operations", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 38 + }, + "collapsed": false, + "panels": [] + }, + { + "type": "timeseries", + "title": "Ingested Events / Second by Channel", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 39 + }, + "targets": [ + { + "expr": "sum by (channel) (rate(eventcollector_ingest_events_total{channel=~\"$channel\",event_id=~\"$event_id\"}[5m]))", + "legendFormat": "{{channel}}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "eps", + "decimals": 2 + }, + "overrides": [] + }, + "options": { + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + } + }, + { + "type": "timeseries", + "title": "HTTP Latency p95", + "datasource": "$datasource", + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 39 + }, + "targets": [ + { + "expr": "histogram_quantile(0.95, sum by (le,path) (rate(eventcollector_http_request_duration_seconds_bucket[5m])))", + "legendFormat": "{{path}} p95", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "unit": "s", + "decimals": 3 + }, + "overrides": [] + }, + "options": { + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + } + }, + { + "type": "table", + "title": "Privileged Users / Hosts - Current Activity", + "datasource": "$datasource", + "gridPos": { + "h": 10, + "w": 12, + "x": 0, + "y": 47 + }, + "targets": [ + { + "expr": "sum by (user,host) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h]))", + "legendFormat": "{{user}} {{host}}", + "refId": "A", + "instant": true, + "format": "table" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "showHeader": true + } + }, + { + "type": "table", + "title": "Agent Last Seen Age", + "datasource": "$datasource", + "gridPos": { + "h": 10, + "w": 12, + "x": 12, + "y": 47 + }, + "targets": [ + { + "expr": "time() - eventcollector_agent_last_seen_unixtime{host=~\"$host\"}", + "legendFormat": "{{host}}", + "refId": "A", + "instant": true, + "format": "table" + } + ], + "fieldConfig": { + "defaults": { + "unit": "s", + "decimals": 0 + }, + "overrides": [] + }, + "options": { + "showHeader": true + } + } + ], + "refresh": "30s", + "schemaVersion": 39, + "style": "dark", + "tags": [ + "siem", + "soc", + "ueba", + "privileged-accounts" + ], + "templating": { + "list": [ + { + "name": "datasource", + "type": "datasource", + "query": "prometheus", + "current": {}, + "hide": 0, + "label": "Datasource" + }, + { + "name": "user", + "type": "query", + "datasource": "$datasource", + "query": "label_values(siem_privileged_logons_total, user)", + "refresh": 1, + "includeAll": true, + "multi": true, + "allValue": ".*", + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "label": "Privileged User" + }, + { + "name": "host", + "type": "query", + "datasource": "$datasource", + "query": "label_values(eventcollector_agent_last_seen_unixtime, host)", + "refresh": 1, + "includeAll": true, + "multi": true, + "allValue": ".*", + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "label": "Host" + }, + { + "name": "channel", + "type": "query", + "datasource": "$datasource", + "query": "label_values(eventcollector_ingest_events_total, channel)", + "refresh": 1, + "includeAll": true, + "multi": true, + "allValue": ".*", + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "label": "Channel" + }, + { + "name": "event_id", + "type": "query", + "datasource": "$datasource", + "query": "label_values(eventcollector_ingest_events_total, event_id)", + "refresh": 1, + "includeAll": true, + "multi": true, + "allValue": ".*", + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "label": "Event ID" + }, + { + "name": "rule", + "type": "query", + "datasource": "$datasource", + "query": "label_values(eventcollector_detection_hits_total, rule)", + "refresh": 1, + "includeAll": true, + "multi": true, + "allValue": ".*", + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "label": "Rule" + }, + { + "name": "severity", + "type": "custom", + "query": "info,low,medium,high,critical", + "includeAll": true, + "multi": true, + "allValue": ".*", + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "label": "Severity" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timezone": "browser", + "title": "SIEM SOC - Privileged Accounts & UEBA", + "uid": "siem-soc-privileged-ueba", + "version": 1 +} \ No newline at end of file diff --git a/main.go b/main.go index ea7a659..182a8df 100644 --- a/main.go +++ b/main.go @@ -5791,6 +5791,14 @@ WHERE channel_name = 'Security' AND target_user <> '' AND target_user <> '-' AND target_user NOT LIKE '%$' + AND logon_type IN ('2', '7', '10', '11') + AND LOWER(target_user) NOT IN ( + 'system', + 'localsystem', + 'local service', + 'network service', + 'anonymous logon' + ) GROUP BY hostname, target_user ` @@ -5809,7 +5817,7 @@ GROUP BY hostname, target_user } user = normalizeUsername(user) - if user == "" || isMachineAccount(user) { + if isNoiseAccount(user) { continue } @@ -6093,3 +6101,29 @@ GROUP BY e.hostname, e.target_user return rows.Err() } + +func isNoiseAccount(username string) bool { + u := normalizeUsername(username) + + if u == "" || isMachineAccount(u) { + return true + } + + switch u { + case "system", + "localsystem", + "local service", + "network service", + "anonymous logon", + "dwm-1", + "dwm-2", + "dwm-3", + "umfd-0", + "umfd-1", + "umfd-2", + "umfd-3": + return true + } + + return false +}