{ "annotations": { "list": [] }, "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 1, "links": [], "liveNow": false, "panels": [ { "type": "row", "title": "Privileged Account Overview", "gridPos": { "h": 1, "w": 24, "x": 0, "y": 0 }, "collapsed": false, "panels": [] }, { "type": "stat", "title": "Privileged Logons 15m", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 0, "y": 1 }, "targets": [ { "expr": "sum(increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[15m]))", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 10 }, { "color": "red", "value": 50 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "value", "graphMode": "area", "justifyMode": "auto" } }, { "type": "stat", "title": "Failed Admin Logons 15m", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 4, "y": 1 }, "targets": [ { "expr": "sum(increase(siem_privileged_logon_failures_total{user=~\"$user\",host=~\"$host\"}[15m]))", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 1 }, { "color": "red", "value": 5 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "value", "graphMode": "area", "justifyMode": "auto" } }, { "type": "stat", "title": "Admin New Hosts 1h", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 8, "y": 1 }, "targets": [ { "expr": "sum(increase(siem_privileged_new_host_total{user=~\"$user\",host=~\"$host\"}[1h]))", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "red", "value": 1 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "value", "graphMode": "area", "justifyMode": "auto" } }, { "type": "stat", "title": "High/Critical Detections 1h", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 12, "y": 1 }, "targets": [ { "expr": "sum(increase(eventcollector_detection_hits_total{severity=~\"high|critical\"}[1h]))", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 1 }, { "color": "red", "value": 5 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "value", "graphMode": "area", "justifyMode": "auto" } }, { "type": "stat", "title": "Max Host Risk", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 16, "y": 1 }, "targets": [ { "expr": "max(eventcollector_host_risk_score{host=~\"$host\"})", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 2, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 20 }, { "color": "red", "value": 60 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "value", "graphMode": "area", "justifyMode": "auto" } }, { "type": "stat", "title": "Baseline Max Z-Score", "datasource": "$datasource", "gridPos": { "h": 4, "w": 4, "x": 20, "y": 1 }, "targets": [ { "expr": "max(eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 2, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "orange", "value": 3 }, { "color": "red", "value": 5 } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "value", "graphMode": "area", "justifyMode": "auto" } }, { "type": "timeseries", "title": "Privileged Logons by User", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 0, "y": 5 }, "targets": [ { "expr": "sum by (user) (rate(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[5m]))", "legendFormat": "{{user}}", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "eps", "decimals": 3 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "Failed Privileged Logons by User", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 12, "y": 5 }, "targets": [ { "expr": "sum by (user) (increase(siem_privileged_logon_failures_total{user=~\"$user\",host=~\"$host\"}[5m]))", "legendFormat": "{{user}}", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "bargauge", "title": "Top Admins by Logons 1h", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 0, "y": 13 }, "targets": [ { "expr": "topk(15, sum by (user) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h])))", "legendFormat": "{{user}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "bargauge", "title": "Top Hosts with Admin Activity 1h", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 8, "y": 13 }, "targets": [ { "expr": "topk(15, sum by (host) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h])))", "legendFormat": "{{host}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "bargauge", "title": "Top Admin New Hosts 24h", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 16, "y": 13 }, "targets": [ { "expr": "topk(15, sum by (user,host) (increase(siem_privileged_new_host_total{user=~\"$user\",host=~\"$host\"}[24h])))", "legendFormat": "{{user}} → {{host}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "row", "title": "SOC Risk & Detections", "gridPos": { "h": 1, "w": 24, "x": 0, "y": 21 }, "collapsed": false, "panels": [] }, { "type": "bargauge", "title": "Top Host Risk Scores", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 0, "y": 22 }, "targets": [ { "expr": "topk(20, eventcollector_host_risk_score{host=~\"$host\"})", "legendFormat": "{{host}} / {{severity}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 1 }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "bargauge", "title": "Top Detection Rules 24h", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 8, "y": 22 }, "targets": [ { "expr": "topk(20, sum by (rule,severity) (increase(eventcollector_detection_hits_total{rule=~\"$rule\",severity=~\"$severity\"}[24h])))", "legendFormat": "{{rule}} / {{severity}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "bargauge", "title": "Top Baseline Z-Scores", "datasource": "$datasource", "gridPos": { "h": 8, "w": 8, "x": 16, "y": 22 }, "targets": [ { "expr": "topk(20, eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})", "legendFormat": "{{host}}", "refId": "A", "instant": true } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 2 }, "overrides": [] }, "options": { "displayMode": "gradient", "orientation": "horizontal", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "showUnfilled": true } }, { "type": "timeseries", "title": "Detection Hits by Severity", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 0, "y": 30 }, "targets": [ { "expr": "sum by (severity) (increase(eventcollector_detection_hits_total{severity=~\"$severity\",rule=~\"$rule\"}[5m]))", "legendFormat": "{{severity}}", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "Baseline Current vs Average", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 12, "y": 30 }, "targets": [ { "expr": "eventcollector_baseline_current_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}", "legendFormat": "current {{host}} {{channel}} {{event_id}}", "refId": "A" }, { "expr": "eventcollector_baseline_avg_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}", "legendFormat": "avg {{host}} {{channel}} {{event_id}}", "refId": "B" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 2 }, "overrides": [] }, "options": { "legend": { "displayMode": "list", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "row", "title": "Operations", "gridPos": { "h": 1, "w": 24, "x": 0, "y": 38 }, "collapsed": false, "panels": [] }, { "type": "timeseries", "title": "Ingested Events / Second by Channel", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 0, "y": 39 }, "targets": [ { "expr": "sum by (channel) (rate(eventcollector_ingest_events_total{channel=~\"$channel\",event_id=~\"$event_id\"}[5m]))", "legendFormat": "{{channel}}", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "eps", "decimals": 2 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "timeseries", "title": "HTTP Latency p95", "datasource": "$datasource", "gridPos": { "h": 8, "w": 12, "x": 12, "y": 39 }, "targets": [ { "expr": "histogram_quantile(0.95, sum by (le,path) (rate(eventcollector_http_request_duration_seconds_bucket[5m])))", "legendFormat": "{{path}} p95", "refId": "A" } ], "fieldConfig": { "defaults": { "unit": "s", "decimals": 3 }, "overrides": [] }, "options": { "legend": { "displayMode": "table", "placement": "bottom", "showLegend": true }, "tooltip": { "mode": "multi", "sort": "desc" } } }, { "type": "table", "title": "Privileged Users / Hosts - Current Activity", "datasource": "$datasource", "gridPos": { "h": 10, "w": 12, "x": 0, "y": 47 }, "targets": [ { "expr": "sum by (user,host) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h]))", "legendFormat": "{{user}} {{host}}", "refId": "A", "instant": true, "format": "table" } ], "fieldConfig": { "defaults": { "unit": "short", "decimals": 0 }, "overrides": [] }, "options": { "showHeader": true } }, { "type": "table", "title": "Agent Last Seen Age", "datasource": "$datasource", "gridPos": { "h": 10, "w": 12, "x": 12, "y": 47 }, "targets": [ { "expr": "time() - eventcollector_agent_last_seen_unixtime{host=~\"$host\"}", "legendFormat": "{{host}}", "refId": "A", "instant": true, "format": "table" } ], "fieldConfig": { "defaults": { "unit": "s", "decimals": 0 }, "overrides": [] }, "options": { "showHeader": true } } ], "refresh": "30s", "schemaVersion": 39, "style": "dark", "tags": [ "siem", "soc", "ueba", "privileged-accounts" ], "templating": { "list": [ { "name": "datasource", "type": "datasource", "query": "prometheus", "current": {}, "hide": 0, "label": "Datasource" }, { "name": "user", "type": "query", "datasource": "$datasource", "query": "label_values(siem_privileged_logons_total, user)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Privileged User" }, { "name": "host", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_agent_last_seen_unixtime, host)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Host" }, { "name": "channel", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_ingest_events_total, channel)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Channel" }, { "name": "event_id", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_ingest_events_total, event_id)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Event ID" }, { "name": "rule", "type": "query", "datasource": "$datasource", "query": "label_values(eventcollector_detection_hits_total, rule)", "refresh": 1, "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Rule" }, { "name": "severity", "type": "custom", "query": "info,low,medium,high,critical", "includeAll": true, "multi": true, "allValue": ".*", "current": { "selected": true, "text": "All", "value": "$__all" }, "label": "Severity" } ] }, "time": { "from": "now-6h", "to": "now" }, "timezone": "browser", "title": "SIEM SOC - Privileged Accounts & UEBA", "uid": "siem-soc-privileged-ueba", "version": 1 }