sendnrw/siem-backend
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e0ef00a4ee97eeb3a10360d3cf3f75ff4ca9ed93
siem-backend/deploy/grafana/provisioning/dashboards/siem-soc-privileged.json
jbergner 12956d87b9
All checks were successful
release-tag / release-image (push) Successful in 2m9s
Details
Neues Dashboard und Lösung für starkes Noise bei UEBA Off-Hours
2026-04-27 07:14:24 +02:00

1006 lines
22 KiB
JSON
Raw Blame History

{
"annotations": {
"list": []
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 1,
"links": [],
"liveNow": false,
"panels": [
{
"type": "row",
"title": "Privileged Account Overview",
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 0
},
"collapsed": false,
"panels": []
},
{
"type": "stat",
"title": "Privileged Logons 15m",
"datasource": "$datasource",
"gridPos": {
"h": 4,
"w": 4,
"x": 0,
"y": 1
},
"targets": [
{
"expr": "sum(increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[15m]))",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "orange",
"value": 10
},
{
"color": "red",
"value": 50
}
]
}
},
"overrides": []
},
"options": {
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto"
}
},
{
"type": "stat",
"title": "Failed Admin Logons 15m",
"datasource": "$datasource",
"gridPos": {
"h": 4,
"w": 4,
"x": 4,
"y": 1
},
"targets": [
{
"expr": "sum(increase(siem_privileged_logon_failures_total{user=~\"$user\",host=~\"$host\"}[15m]))",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "orange",
"value": 1
},
{
"color": "red",
"value": 5
}
]
}
},
"overrides": []
},
"options": {
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto"
}
},
{
"type": "stat",
"title": "Admin New Hosts 1h",
"datasource": "$datasource",
"gridPos": {
"h": 4,
"w": 4,
"x": 8,
"y": 1
},
"targets": [
{
"expr": "sum(increase(siem_privileged_new_host_total{user=~\"$user\",host=~\"$host\"}[1h]))",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 1
}
]
}
},
"overrides": []
},
"options": {
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto"
}
},
{
"type": "stat",
"title": "High/Critical Detections 1h",
"datasource": "$datasource",
"gridPos": {
"h": 4,
"w": 4,
"x": 12,
"y": 1
},
"targets": [
{
"expr": "sum(increase(eventcollector_detection_hits_total{severity=~\"high|critical\"}[1h]))",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "orange",
"value": 1
},
{
"color": "red",
"value": 5
}
]
}
},
"overrides": []
},
"options": {
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto"
}
},
{
"type": "stat",
"title": "Max Host Risk",
"datasource": "$datasource",
"gridPos": {
"h": 4,
"w": 4,
"x": 16,
"y": 1
},
"targets": [
{
"expr": "max(eventcollector_host_risk_score{host=~\"$host\"})",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 2,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "orange",
"value": 20
},
{
"color": "red",
"value": 60
}
]
}
},
"overrides": []
},
"options": {
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto"
}
},
{
"type": "stat",
"title": "Baseline Max Z-Score",
"datasource": "$datasource",
"gridPos": {
"h": 4,
"w": 4,
"x": 20,
"y": 1
},
"targets": [
{
"expr": "max(eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 2,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "orange",
"value": 3
},
{
"color": "red",
"value": 5
}
]
}
},
"overrides": []
},
"options": {
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto"
}
},
{
"type": "timeseries",
"title": "Privileged Logons by User",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 5
},
"targets": [
{
"expr": "sum by (user) (rate(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[5m]))",
"legendFormat": "{{user}}",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "eps",
"decimals": 3
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "table",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "desc"
}
}
},
{
"type": "timeseries",
"title": "Failed Privileged Logons by User",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 5
},
"targets": [
{
"expr": "sum by (user) (increase(siem_privileged_logon_failures_total{user=~\"$user\",host=~\"$host\"}[5m]))",
"legendFormat": "{{user}}",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "table",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "desc"
}
}
},
{
"type": "bargauge",
"title": "Top Admins by Logons 1h",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 8,
"x": 0,
"y": 13
},
"targets": [
{
"expr": "topk(15, sum by (user) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h])))",
"legendFormat": "{{user}}",
"refId": "A",
"instant": true
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0
},
"overrides": []
},
"options": {
"displayMode": "gradient",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showUnfilled": true
}
},
{
"type": "bargauge",
"title": "Top Hosts with Admin Activity 1h",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 8,
"x": 8,
"y": 13
},
"targets": [
{
"expr": "topk(15, sum by (host) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h])))",
"legendFormat": "{{host}}",
"refId": "A",
"instant": true
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0
},
"overrides": []
},
"options": {
"displayMode": "gradient",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showUnfilled": true
}
},
{
"type": "bargauge",
"title": "Top Admin New Hosts 24h",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 8,
"x": 16,
"y": 13
},
"targets": [
{
"expr": "topk(15, sum by (user,host) (increase(siem_privileged_new_host_total{user=~\"$user\",host=~\"$host\"}[24h])))",
"legendFormat": "{{user}} → {{host}}",
"refId": "A",
"instant": true
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0
},
"overrides": []
},
"options": {
"displayMode": "gradient",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showUnfilled": true
}
},
{
"type": "row",
"title": "SOC Risk & Detections",
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 21
},
"collapsed": false,
"panels": []
},
{
"type": "bargauge",
"title": "Top Host Risk Scores",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 8,
"x": 0,
"y": 22
},
"targets": [
{
"expr": "topk(20, eventcollector_host_risk_score{host=~\"$host\"})",
"legendFormat": "{{host}} / {{severity}}",
"refId": "A",
"instant": true
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 1
},
"overrides": []
},
"options": {
"displayMode": "gradient",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showUnfilled": true
}
},
{
"type": "bargauge",
"title": "Top Detection Rules 24h",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 8,
"x": 8,
"y": 22
},
"targets": [
{
"expr": "topk(20, sum by (rule,severity) (increase(eventcollector_detection_hits_total{rule=~\"$rule\",severity=~\"$severity\"}[24h])))",
"legendFormat": "{{rule}} / {{severity}}",
"refId": "A",
"instant": true
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0
},
"overrides": []
},
"options": {
"displayMode": "gradient",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showUnfilled": true
}
},
{
"type": "bargauge",
"title": "Top Baseline Z-Scores",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 8,
"x": 16,
"y": 22
},
"targets": [
{
"expr": "topk(20, eventcollector_anomaly_score{host=~\"$host\",rule=\"baseline_event_rate_anomaly\"})",
"legendFormat": "{{host}}",
"refId": "A",
"instant": true
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 2
},
"overrides": []
},
"options": {
"displayMode": "gradient",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showUnfilled": true
}
},
{
"type": "timeseries",
"title": "Detection Hits by Severity",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 30
},
"targets": [
{
"expr": "sum by (severity) (increase(eventcollector_detection_hits_total{severity=~\"$severity\",rule=~\"$rule\"}[5m]))",
"legendFormat": "{{severity}}",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "table",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "desc"
}
}
},
{
"type": "timeseries",
"title": "Baseline Current vs Average",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 30
},
"targets": [
{
"expr": "eventcollector_baseline_current_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}",
"legendFormat": "current {{host}} {{channel}} {{event_id}}",
"refId": "A"
},
{
"expr": "eventcollector_baseline_avg_count{host=~\"$host\",channel=~\"$channel\",event_id=~\"$event_id\"}",
"legendFormat": "avg {{host}} {{channel}} {{event_id}}",
"refId": "B"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 2
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "desc"
}
}
},
{
"type": "row",
"title": "Operations",
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 38
},
"collapsed": false,
"panels": []
},
{
"type": "timeseries",
"title": "Ingested Events / Second by Channel",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 12,
"x": 0,
"y": 39
},
"targets": [
{
"expr": "sum by (channel) (rate(eventcollector_ingest_events_total{channel=~\"$channel\",event_id=~\"$event_id\"}[5m]))",
"legendFormat": "{{channel}}",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "eps",
"decimals": 2
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "table",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "desc"
}
}
},
{
"type": "timeseries",
"title": "HTTP Latency p95",
"datasource": "$datasource",
"gridPos": {
"h": 8,
"w": 12,
"x": 12,
"y": 39
},
"targets": [
{
"expr": "histogram_quantile(0.95, sum by (le,path) (rate(eventcollector_http_request_duration_seconds_bucket[5m])))",
"legendFormat": "{{path}} p95",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "s",
"decimals": 3
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "table",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "desc"
}
}
},
{
"type": "table",
"title": "Privileged Users / Hosts - Current Activity",
"datasource": "$datasource",
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 47
},
"targets": [
{
"expr": "sum by (user,host) (increase(siem_privileged_logons_total{user=~\"$user\",host=~\"$host\"}[1h]))",
"legendFormat": "{{user}} {{host}}",
"refId": "A",
"instant": true,
"format": "table"
}
],
"fieldConfig": {
"defaults": {
"unit": "short",
"decimals": 0
},
"overrides": []
},
"options": {
"showHeader": true
}
},
{
"type": "table",
"title": "Agent Last Seen Age",
"datasource": "$datasource",
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 47
},
"targets": [
{
"expr": "time() - eventcollector_agent_last_seen_unixtime{host=~\"$host\"}",
"legendFormat": "{{host}}",
"refId": "A",
"instant": true,
"format": "table"
}
],
"fieldConfig": {
"defaults": {
"unit": "s",
"decimals": 0
},
"overrides": []
},
"options": {
"showHeader": true
}
}
],
"refresh": "30s",
"schemaVersion": 39,
"style": "dark",
"tags": [
"siem",
"soc",
"ueba",
"privileged-accounts"
],
"templating": {
"list": [
{
"name": "datasource",
"type": "datasource",
"query": "prometheus",
"current": {},
"hide": 0,
"label": "Datasource"
},
{
"name": "user",
"type": "query",
"datasource": "$datasource",
"query": "label_values(siem_privileged_logons_total, user)",
"refresh": 1,
"includeAll": true,
"multi": true,
"allValue": ".*",
"current": {
"selected": true,
"text": "All",
"value": "$__all"
},
"label": "Privileged User"
},
{
"name": "host",
"type": "query",
"datasource": "$datasource",
"query": "label_values(eventcollector_agent_last_seen_unixtime, host)",
"refresh": 1,
"includeAll": true,
"multi": true,
"allValue": ".*",
"current": {
"selected": true,
"text": "All",
"value": "$__all"
},
"label": "Host"
},
{
"name": "channel",
"type": "query",
"datasource": "$datasource",
"query": "label_values(eventcollector_ingest_events_total, channel)",
"refresh": 1,
"includeAll": true,
"multi": true,
"allValue": ".*",
"current": {
"selected": true,
"text": "All",
"value": "$__all"
},
"label": "Channel"
},
{
"name": "event_id",
"type": "query",
"datasource": "$datasource",
"query": "label_values(eventcollector_ingest_events_total, event_id)",
"refresh": 1,
"includeAll": true,
"multi": true,
"allValue": ".*",
"current": {
"selected": true,
"text": "All",
"value": "$__all"
},
"label": "Event ID"
},
{
"name": "rule",
"type": "query",
"datasource": "$datasource",
"query": "label_values(eventcollector_detection_hits_total, rule)",
"refresh": 1,
"includeAll": true,
"multi": true,
"allValue": ".*",
"current": {
"selected": true,
"text": "All",
"value": "$__all"
},
"label": "Rule"
},
{
"name": "severity",
"type": "custom",
"query": "info,low,medium,high,critical",
"includeAll": true,
"multi": true,
"allValue": ".*",
"current": {
"selected": true,
"text": "All",
"value": "$__all"
},
"label": "Severity"
}
]
},
"time": {
"from": "now-6h",
"to": "now"
},
"timezone": "browser",
"title": "SIEM SOC - Privileged Accounts & UEBA",
"uid": "siem-soc-privileged-ueba",
"version": 1
}
Reference in New Issue View Git Blame Copy Permalink