Kibana 7.10 - "Evidence of administrator activity being logged and monitoring."

Hello everyone,

I am assisting in data gathering for an upcoming audit and I am trying to use Kibana to search for 'Evidence of admin activity being logged' but I cannot seem to grasp the needed search parameters.

I am also searching through in hopes of finding documentation myself but I have not found anything useful yet. Any guidance or help would be much appreciated.

Thank you!

Can you provide more context about what is your issue?

What you need to search to be an evidence of admin activity depends entirely of what kind of data you have in Elasticsearch.

Not sure what Chaossearch is, but it is not an Elastic tool.

1 Like

In addition, if you have audit logging enabled in your stack (Kibana and ES at the least), you can prepare some kind of dashboard for some specific users.

Greetings leandrojmp and Ayush_Mathur!

Thank you for the prompt reply. So my background is we are using Armor to host servers for our customer and Armor uses ChaosSearch Analytics as a way for us to search our ingested logs. Thank you for clarifying that Chaossearch is not an Elastic tool, I'm fairly new to this so I'm still learning everything and I could be looking for help in the wrong place.

I believe that my overall issue is that I just do not seem to know how to search our ingested logs to find the logs related to "Administrative Activity" on Windows Servers. I have a list of Domain Admin usernames for this customer so my next thought is to generate activity via one of these accounts and then search through our logs for the specific admin account.

This is part of my issue as well. Armor provides a Log Search Field Glossary and a link to the ECS Field Reference so I have been trying to search through our logs using these search fields but it is also possible that my issue could lay with how Armor parses the ingested logs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.