{ "annotations": { "list": [] }, "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 1, "links": [], "liveNow": false, "panels": [ { "type": "stat", "title": "Active Agents", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 0, "y": 0 }, "targets": [ { "expr": "eventcollector_active_agents", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "thresholds": { "mode": "absolute", "steps": [ { "color": "red", "value": null }, { "color": "green", "value": 1 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "value", "graphMode": "area", "justifyMode": "auto" } }, { "type": "stat", "title": "Events/s", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 4, "y": 0 }, "targets": [ { "expr": "sum(rate(eventcollector_ingest_events_total{channel=~\"$channel\",event_id=~\"$event_id\"}[5m]))", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "eps", "decimals": 2 }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "textMode": "auto" } }, { "type": "stat", "title": "High Detections 5m", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 8, "y": 0 }, "targets": [ { "expr": "sum(increase(eventcollector_detection_hits_total{severity=\"high\",rule=~\"$rule\"}[5m]))", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "red", "value": 1 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "textMode": "auto" } }, { "type": "stat", "title": "Baseline Max Z-Score", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 12, "y": 0 }, "targets": [ { "expr": "max(eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})", "refId": "A" } ], "fieldConfig": { "defaults": { "decimals": 2, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 3 }, { "color": "red", "value": 5 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "textMode": "auto" } }, { "type": "stat", "title": "Rule Errors 5m", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 16, "y": 0 }, "targets": [ { "expr": "sum(increase(eventcollector_rule_errors_total{rule=~\"$rule\"}[5m]))", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "red", "value": 1 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "textMode": "auto" } }, { "type": "stat", "title": "DB Insert Failures 5m", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 20, "y": 0 }, "targets": [ { "expr": "increase(eventcollector_db_insert_failures_total[5m])", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "red", "value": 1 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "textMode": "auto" } }, { "type": "timeseries", "title": "Ingested Events / Second by Channel", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 0, "y": 4 }, "targets": [ { "expr": "sum by (channel) (rate(eventcollector_ingest_events_total{channel=~\"$channel\",event_id=~\"$event_id\"}[5m]))", "legendFormat": "{{channel}}", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "eps", "decimals": 2 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "Detection Hits by Rule / Severity", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 12, "y": 4 }, "targets": [ { "expr": "sum by (rule,severity) (increase(eventcollector_detection_hits_total{rule=~\"$rule\",severity=~\"$severity\"}[5m]))", "legendFormat": "{{rule}} / {{severity}}", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short" }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "Baseline: Current Count vs Average", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 0, "y": 12 }, "targets": [ { "expr": "eventcollector_baseline_current_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}", "legendFormat": "current {{host}} {{channel}} {{event_id}}", "refId": "A" }, { "expr": "eventcollector_baseline_avg_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}", "legendFormat": "avg {{host}} {{channel}} {{event_id}}", "refId": "B" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 2 }, "overrides": [] }, "options": { "legend": { "displayMode": "list", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "Baseline Z-Score", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 12, "y": 12 }, "targets": [ { "expr": "eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"}", "legendFormat": "{{host}}", "refId": "A" } ], "fieldConfig": { "defaults": { "decimals": 2, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 3 }, { "color": "red", "value": 5 } ] } }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "bargauge", "title": "Top Baseline Z-Scores", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 0, "y": 20 }, "targets": [ { "expr": "topk(10, eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})", "legendFormat": "{{host}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "decimals": 2, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 3 }, { "color": "red", "value": 5 } ] } }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "bargauge", "title": "Top EventIDs by Ingest Rate", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 8, "y": 20 }, "targets": [ { "expr": "topk(15, sum by (channel,event_id) (rate(eventcollector_ingest_events_total{channel=~\"$channel\",event_id=~\"$event_id\"}[5m])))", "legendFormat": "{{channel}} / {{event_id}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "eps", "decimals": 2 }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "bargauge", "title": "Top Detection Rules 1h", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 16, "y": 20 }, "targets": [ { "expr": "topk(15, sum by (rule,severity) (increase(eventcollector_detection_hits_total{rule=~\"$rule\",severity=~\"$severity\"}[1h])))", "legendFormat": "{{rule}} / {{severity}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "short" }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "timeseries", "title": "HTTP Requests by Path / Status", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 0, "y": 28 }, "targets": [ { "expr": "sum by (path,status) (rate(eventcollector_http_requests_total[5m]))", "legendFormat": "{{path}} {{status}}", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "reqps", "decimals": 2 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "HTTP Latency p95", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 12, "y": 28 }, "targets": [ { "expr": "histogram_quantile(0.95, sum by (le,path) (rate(eventcollector_http_request_duration_seconds_bucket[5m])))", "legendFormat": "{{path}} p95", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "s", "decimals": 3 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "DB Insert Transaction Latency p95", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 0, "y": 36 }, "targets": [ { "expr": "histogram_quantile(0.95, sum by (le) (rate(eventcollector_db_tx_duration_seconds_bucket[5m])))", "legendFormat": "db tx p95", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "s", "decimals": 3 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "DB Batch Size p95", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 12, "y": 36 }, "targets": [ { "expr": "histogram_quantile(0.95, sum by (le) (rate(eventcollector_db_batch_size_bucket[5m])))", "legendFormat": "batch size p95", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "table", "title": "Agent Last Seen", "datasource": "$datasource", "gridPos": { "h": 10, "w": 12, "x": 0, "y": 44 }, "targets": [ { "expr": "time() - eventcollector_agent_last_seen_unixtime{host=~\"$host\"}", "legendFormat": "{{host}}", "refId": "A", "instant": true, "format": "table" } ], "fieldConfig": { "defaults": { "unit": "s", "decimals": 0 }, "overrides": [] }, "options": { "showHeader": true } }, { "type": "table", "title": "Baseline Samples", "datasource": "$datasource", "gridPos": { "h": 10, "w": 12, "x": 12, "y": 44 }, "targets": [ { "expr": "eventcollector_baseline_sample_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}", "legendFormat": "{{host}} {{channel}} {{event_id}}", "refId": "A", "instant": true, "format": "table" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "showHeader": true } } ], "refresh": "30s", "schemaVersion": 39, "style": "dark", "tags": ["siem", "baseline", "ad"], "templating": { "list": [ { "name": "datasource", "type": "datasource", "query": "prometheus", "current": {}, "hide": 0, "label": "Datasource" }, { "name": "host", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_agent_last_seen_unixtime, host)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Host" }, { "name": "channel", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_ingest_events_total, channel)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Channel" }, { "name": "event_id", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_ingest_events_total, event_id)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Event ID" }, { "name": "rule", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_detection_hits_total, rule)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Rule" }, { "name": "severity", "type": "custom", "query": "low,medium,high", "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Severity" } ] }, "time": { "from": "now-6h", "to": "now" }, "timezone": "browser", "title": "SIEM Overview Extended", "uid": "siem-overview-extended", "version": 1 }