Kibana dashboard grouping issues with domain and NT Authority

Hi All,

We use kibana for a number of estates with different domains. I've been looking at creating dashboards for each domain to be monitored as a SIEM.

The basic set up I've got so far is using computer name and user domain to view event volume per machine.

Does anyone have any ideas for including events logged by System? They are tagged as "NT AUTHORITY" and are put into their own chart.

Hey @Yatesss, are you using the SIEM application built into the Stack, or are you trying to build your own SIEM?

Events which are generated by the system itself could be of interest when investigating system activity, so I'm hesitant to recommend that they should be entirely isolated from the other events.

Hi @Brandon_Kobel,

Thanks for your response.

In a nutshell, I'd like to create dashboards which group event volume etc by specific "client sites" and to be inclusive of "NT AUTHORITY\ SYSTEM" events for the related "client site".

Currently, I have sysmon data pushed via winlogbeat to ECS and displayed in Kibana. I'm using the SIEM application but we managed several "client sites" each with their own domain.

I'd like to create dashboards for each client to include all data. I've tried grouping by domain but then the "NT AUTHORITY\system" events are excluded and I'd like them included for each domain grouping.

For example, on work around I attempted yesterday was to hard code "fields.customer_id: customer1" into winlogbeat.yml and have a unique winlogbeat.yml for each client site.

Which seemed to fit the purpose but I think that will be limited to sysmon logs, it will need modifying for each client it's pushed to.

The other work around I considered was to create an index for each estate but there are quite a few, I'm not sure what impact that would have on processing etc.

Many thanks,

Further update - This issue is now resolved. I'm sticking with tagging each log with a hard coded client name under "fields.customer_id".

Thanks for your time.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.