Hey there, internet travelers! Thanks for stopping by, and I hope you’re enjoying the Greylog Go conference so far. It’s been a great user conference with awesome talks and keynotes, and there are more great sessions coming up. Speaking of great talks, now you’re stuck with mine, so let’s get started!
Welcome to “Paradise by Your Dashboard Lights.” No, this has nothing to do with an iconic ’80s singer or a meal that tests your ability to appreciate family members. This is about building dashboards—specifically, creating the information you want to see when you need to see it using Greylog.
We’ll go through several stages in this session, starting with how to build an effective dashboard, some tools, and techniques we’ve found useful along the way. We’ll use a “crawl-walk-run” approach, starting with the basics and leveling up as we go.
Hi, my name is Abe, Director of Professional Services here at Greylog. My job is to ensure that when you come on board as part of the Greylog family, you’re set up with a turnkey solution. My team of brilliant engineers and I work to provide you with everything you need for success. I’ve been in the security space for many years, and now I’m focused on helping you make the most of Greylog, whether through services or through teaching courses at our Academy.
How do we build good dashboards?
One of the first questions people ask is, “I’ve got my data coming in—how do I make this show what I want to see?” The most important thing is to answer the critical question: What do you need to see?
Often, people throw their data into the system and want to know how to make it look pretty, but functionality is what matters most. You need to ask yourself what information helps solve a specific use case or business problem. Once you know that, figure out what data will answer that question. From there, can you simulate it? If you’re watching server logs, can you simulate a server going down? If you’re watching security logs, can you test your controls?
Remember, you’re not using Greylog to replace existing controls like EDR or anti-malware. Instead, you’re centralizing events and activities from multiple solutions in one place. This allows you to paint a holistic picture of your environment, including identifying blind spots in security or operations.
Your dashboard and log tools are there to help you find the unknown, not the known—that’s easy for existing tools to handle. We’re looking for what hasn’t been identified yet. It’s not a perfect science, but we can show plenty of data that will help either during an incident or by proactively building visualizations to answer questions.
Example: Unauthorized Executions
Let’s walk through an example. Coming from a security background, I’ll focus on unauthorized executions. Unauthorized executions are simply the difference between authorized executions and current executions. This is fairly easy to calculate.
Before building your dashboard, it’s helpful to sketch out ideas on paper or a whiteboard. Once you have a plan, it’s easier to validate and confirm that the data you’re seeing is accurate. For instance, you can simulate an unauthorized execution by kicking a server to see how Greylog captures it.
We’ll use some of our favorite tools, such as Sysmon, to bring in parsed data for us. One of my go-to features is “Show Top Values,” which gives me a quick overview of what’s in the dataset, such as DNS queries or registry values. From there, I can refine my queries and filter the logs down to specific events, like created processes or executables.
Let’s take that data and start building a dashboard. I can easily convert the top values into a pie chart or other visualization, rename categories like parent processes, and begin to create a meaningful dashboard. For instance, if I see command.exe or any other suspicious process, I can highlight it and track it on the dashboard.
We started with a simple crawl—just identifying and displaying executions. Next, we walk by refining the dashboard to focus on specific actions, like unauthorized code execution. The dashboard can quickly show us unauthorized events as they happen, helping us make sense of them.
Leveling Up
Now, let’s level this up. Two features that really enhance dashboards are lookups and parameters. Lookups allow us to enrich the information in front of us by fetching additional data from third-party systems, such as internal CMDBs. For instance, I can associate internal IP addresses with usernames, departments, and other metadata. This helps track activities and make better decisions, whether managing resources or identifying security risks.
Parameters are another powerful tool. By building cascading dashboards, you can pass data between dashboards in real-time. This can be particularly useful when working with specific IDs or processes and needing to track down related activities.
For example, if you have a temp file created by a certain process, you can track that process UID across multiple dashboards to get a clearer picture of what’s happening. This is just one method of solving tricky problems like mapping Active Directory group policy objects.
Conclusion
We’ve gone from crawling to walking, and now we’re ready to hack the planet! By adding advanced features like lookups and parameters, you can take your dashboards to the next level.
Thanks again for attending this talk! You can find me on Twitter at @bigAbe20, or track me down on LinkedIn. Don’t forget to check out greylog.com or academy.greylog.org for more training sessions. Let us know how you enjoyed the rest of Greylog Go! Take care and happy logging!
