diff --git a/dashboards/account-security-health/account-security-health.json b/dashboards/account-security-health/account-security-health.json new file mode 100644 index 0000000000..676d4c74ca --- /dev/null +++ b/dashboards/account-security-health/account-security-health.json @@ -0,0 +1,968 @@ +{ + "name": "Account Security Health", + "description": null, + "pages": [ + { + "name": "Security Audit", + "description": null, + "widgets": [ + { + "title": "", + "layout": { + "column": 1, + "row": 1, + "width": 12, + "height": 2 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.markdown" + }, + "rawConfiguration": { + "text": "## Security Audit Dashboard\n\nThis dashboard can be used to review your New Relic account audit activity to ensure your New Relic usage remains compliant with your organizational policies and expectations.\n\nThis page contains information on Authentication Domain activity and an overview of other types of account activity. The other tabs in this dashboard contain detailed information on various types of account activity.\n\nAuthentication Domain changes are typically relatively rare occurrences. If you see any, you should confirm that they were expected and are compliant with your organization's policies and expectations." + } + }, + { + "title": "Authentication Domain Changes", + "layout": { + "column": 1, + "row": 3, + "width": 2, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.billboard" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'Changes' where actionIdentifier like 'auth%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + }, + "thresholds": [ + { + "alertSeverity": "CRITICAL", + "value": 0 + } + ] + } + }, + { + "title": "Account Actions", + "layout": { + "column": 3, + "row": 3, + "width": 2, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.billboard" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'Account Actions' where actionIdentifier like 'account%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Role Actions", + "layout": { + "column": 5, + "row": 3, + "width": 2, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.billboard" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'Role Actions' where actionIdentifier like 'role%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Groups Created", + "layout": { + "column": 7, + "row": 3, + "width": 2, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.billboard" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'Groups Created' where actionIdentifier like 'group.create' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Group Access", + "layout": { + "column": 9, + "row": 3, + "width": 2, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.billboard" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'Group Access Granted' where actionIdentifier like 'group.grantAccess' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "User Type Changes", + "layout": { + "column": 11, + "row": 3, + "width": 2, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.billboard" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'Type Changes' where actionIdentifier like 'user.change_type' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Auth Domain Detail", + "layout": { + "column": 1, + "row": 6, + "width": 10, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT * where actionIdentifier like 'auth%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + } + ] + }, + { + "name": "API Key Detail", + "description": null, + "widgets": [ + { + "title": "", + "layout": { + "column": 1, + "row": 1, + "width": 12, + "height": 2 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.markdown" + }, + "rawConfiguration": { + "text": "## API Key Detail\n\nAPI keys are credentials used to authenticate to New Relic's APIs. You can view recent API key activity here to ensure they are compliant with your organization's policies, expectations, and customary usage.\n\nYou can review the data here for unexpected spikes in API key creation or unexpected API key actions and then drill into the detail for further analysis." + } + }, + { + "title": "API Key Actions", + "layout": { + "column": 1, + "row": 3, + "width": 4, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'API Key Actions' where actionIdentifier like 'api%' since 1 month ago facet actionIdentifier" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Key Action Timeseries", + "layout": { + "column": 5, + "row": 3, + "width": 6, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.line" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "legend": { + "enabled": true + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) as 'API Key Actions' where actionIdentifier like 'api%' since 1 month ago TIMESERIES facet actionIdentifier" + } + ], + "platformOptions": { + "ignoreTimeRange": false + }, + "thresholds": { + "isLabelVisible": true + }, + "yAxisLeft": { + "zero": true + }, + "yAxisRight": { + "zero": true + } + } + }, + { + "title": "Key Action Detail", + "layout": { + "column": 1, + "row": 6, + "width": 8, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT * where actionIdentifier like 'api%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + } + ] + }, + { + "name": "Account Detail", + "description": null, + "widgets": [ + { + "title": "", + "layout": { + "column": 1, + "row": 1, + "width": 12, + "height": 2 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.markdown" + }, + "rawConfiguration": { + "text": "## Account Detail\n\nThis page contains audit records for actions that impact your New Relic account. You can view recent account activity here to ensure they are compliant with your organization's policies, expectations, and customary usage.\n\nYou can review the data here for unexpected account actions and then drill into the detail for further analysis." + } + }, + { + "title": "Account Actions", + "layout": { + "column": 1, + "row": 3, + "width": 4, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier like 'account%' facet actionIdentifier since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Account Actions Timeseries", + "layout": { + "column": 5, + "row": 3, + "width": 7, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.line" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "legend": { + "enabled": true + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier like 'account%' facet actionIdentifier since 1 month ago TIMESERIES " + } + ], + "platformOptions": { + "ignoreTimeRange": false + }, + "thresholds": { + "isLabelVisible": true + }, + "yAxisLeft": { + "zero": true + }, + "yAxisRight": { + "zero": true + } + } + }, + { + "title": "Account Actions Detail", + "layout": { + "column": 1, + "row": 6, + "width": 11, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT * where actionIdentifier like 'account%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + } + ] + }, + { + "name": "Role Detail", + "description": null, + "widgets": [ + { + "title": "", + "layout": { + "column": 1, + "row": 1, + "width": 12, + "height": 2 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.markdown" + }, + "rawConfiguration": { + "text": "## Role Detail\n\nWithin the New Relic platform, roles dictate what a specific platform user can see and do. You can view recent role activity here to ensure they are compliant with your organization's policies, expectations, and customary usage.\n\nYou can review the data here for unexpected role additions, deletions, or changes and then drill into the detail for further analysis. You should confirm that any privilege escalations or changes are expected." + } + }, + { + "title": "Role Actions", + "layout": { + "column": 1, + "row": 3, + "width": 4, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier like 'role%' facet actionIdentifier since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Role Actions Timeseries", + "layout": { + "column": 5, + "row": 3, + "width": 7, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.line" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "legend": { + "enabled": true + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier like 'role%' facet actionIdentifier since 1 month ago TIMESERIES " + } + ], + "platformOptions": { + "ignoreTimeRange": false + }, + "thresholds": { + "isLabelVisible": true + }, + "yAxisLeft": { + "zero": true + }, + "yAxisRight": { + "zero": true + } + } + }, + { + "title": "Role Actions Detail", + "layout": { + "column": 1, + "row": 6, + "width": 11, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT * where actionIdentifier like 'role%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + } + ] + }, + { + "name": "Group Detail", + "description": null, + "widgets": [ + { + "title": "", + "layout": { + "column": 1, + "row": 1, + "width": 12, + "height": 2 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.markdown" + }, + "rawConfiguration": { + "text": "## Group Detail\n\nNew Relic groups allow you to manage the permissions for many users at the same time. You can view recent group activity here to ensure they are compliant with your organization's policies, expectations, and customary usage.\n\nYou can review the data here for unexpected group actions and then drill into the detail for further analysis. You should confirm that any new groups or new members of existing groups, especially where privilege escalations are involved, are expected." + } + }, + { + "title": "Group Actions", + "layout": { + "column": 1, + "row": 3, + "width": 4, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier like 'group%' facet actionIdentifier since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Group Actions Timeseries", + "layout": { + "column": 5, + "row": 3, + "width": 7, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.line" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "legend": { + "enabled": true + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier like 'group%' facet actionIdentifier since 1 month ago TIMESERIES " + } + ], + "platformOptions": { + "ignoreTimeRange": false + }, + "thresholds": { + "isLabelVisible": true + }, + "yAxisLeft": { + "zero": true + }, + "yAxisRight": { + "zero": true + } + } + }, + { + "title": "Group Actions Detail", + "layout": { + "column": 1, + "row": 6, + "width": 11, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT * where actionIdentifier like 'group%' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + } + ] + }, + { + "name": "User Detail", + "description": null, + "widgets": [ + { + "title": "", + "layout": { + "column": 1, + "row": 1, + "width": 11, + "height": 2 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.markdown" + }, + "rawConfiguration": { + "text": "## User Detail\n\nEach user of the New Relic platform is represented by a user account. You can view recent user account management activity here to ensure they are compliant with your organization's policies, expectations, and customary usage.\n\nYou can review the data here for unexpected user account actions and then drill into the detail for further analysis. You should confirm that any new users, user password changes, or user information updates are expected, especially for user accounts with administrative privileges." + } + }, + { + "title": "User Actions", + "layout": { + "column": 1, + "row": 3, + "width": 3, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier in ('user.create', 'user.delete', 'user.update', 'user.invited_peer_to_organization', 'user.change_type') facet actionIdentifier since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Password Changes", + "layout": { + "column": 4, + "row": 3, + "width": 3, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier = 'user.update' and description like 'user password%' facet description since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "User Actions Timeseries", + "layout": { + "column": 7, + "row": 3, + "width": 5, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.line" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "legend": { + "enabled": true + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT count(*) where actionIdentifier in ('user.create', 'user.delete', 'user.update', 'user.invited_peer_to_organization', 'user.change_type') facet actionIdentifier since 1 month ago TIMESERIES " + } + ], + "platformOptions": { + "ignoreTimeRange": false + }, + "thresholds": { + "isLabelVisible": true + }, + "yAxisLeft": { + "zero": true + }, + "yAxisRight": { + "zero": true + } + } + }, + { + "title": "User Actions Detail", + "layout": { + "column": 1, + "row": 6, + "width": 10, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrAuditEvent SELECT * where actionIdentifier in ('user.create', 'user.delete', 'user.update', 'user.invited_peer_to_organization', 'user.change_type') since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + } + ] + }, + { + "name": "Data Queries", + "description": null, + "widgets": [ + { + "title": "", + "layout": { + "column": 1, + "row": 1, + "width": 12, + "height": 1 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.markdown" + }, + "rawConfiguration": { + "text": "## Query Analysis\n\nThis page shows wildcard (SELECT * FROM . . / FROM * SELECT . . ) queries and CSV exports. You can use this page to review wildcard query and CSV export activity and verify that they are compliant with your organization's policies, expectations, and customary usage." + } + }, + { + "title": "Wildcard Queries by User", + "layout": { + "column": 1, + "row": 2, + "width": 4, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrdbQuery SELECT count(*) as 'Queries' where query like 'FROM % SELECT * %' or query like 'SELECT * FROM %' facet user since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Wildcard Queries by User Timeseries", + "layout": { + "column": 5, + "row": 2, + "width": 8, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.line" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "legend": { + "enabled": true + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrdbQuery SELECT count(*) where query like 'FROM % SELECT * %' or query like 'SELECT * FROM %' facet user since 1 month ago TIMESERIES " + } + ], + "platformOptions": { + "ignoreTimeRange": false + }, + "thresholds": { + "isLabelVisible": true + }, + "yAxisLeft": { + "zero": true + }, + "yAxisRight": { + "zero": true + } + } + }, + { + "title": "CSV Exports", + "layout": { + "column": 1, + "row": 5, + "width": 11, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrdbQuery SELECT productCapabilityId, productComponentId, query, query.eventType, source.name, user where productComponentId = 'insights.export-csv' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + }, + { + "title": "Wildcard Query Detail", + "layout": { + "column": 1, + "row": 8, + "width": 11, + "height": 3 + }, + "linkedEntityGuids": null, + "visualization": { + "id": "viz.table" + }, + "rawConfiguration": { + "facet": { + "showOtherSeries": false + }, + "nrqlQueries": [ + { + "accountId": 0, + "query": "FROM NrdbQuery SELECT productCapabilityId, productComponent, query, query.eventType, source.name, user where query like 'FROM % SELECT * %' or query like 'SELECT * FROM %' since 1 month ago" + } + ], + "platformOptions": { + "ignoreTimeRange": false + } + } + } + ] + } + ], + "variables": [] +} \ No newline at end of file diff --git a/dashboards/account-security-health/account-security-health.png b/dashboards/account-security-health/account-security-health.png new file mode 100644 index 0000000000..67a0051e73 Binary files /dev/null and b/dashboards/account-security-health/account-security-health.png differ diff --git a/quickstarts/account-security-health/config.yml b/quickstarts/account-security-health/config.yml new file mode 100644 index 0000000000..6dc98710fc --- /dev/null +++ b/quickstarts/account-security-health/config.yml @@ -0,0 +1,33 @@ +# Sets the URL name of the quickstart on public I/O (required) +slug: template + +# Displayed in the UI (required) +title: Account Security Health + +# Long-form description of the quickstart (required) +description: | + This dashboard can be used to review your New Relic account audit activity to ensure your New Relic usage remains compliant with your organizational policies and expectations. + +# Displayed in search results and recommendations. Summarizes a quickstarts functionality. +summary: | + An example New Relic account security audit dashboard. + +# Support level: New Relic | Verified | Community (required) +level: New Relic + +# Authors of the quickstart (required) +authors: + - Alec Isaacson + +# Keywords for filtering / searching criteria in the UI +keywords: + - security + - audit + - health + +# Reference to dashboards to be included in this quickstart +dashboards: + - account-security-health + +# Content / Design +icon: logo.png \ No newline at end of file diff --git a/quickstarts/account-security-health/logo.png b/quickstarts/account-security-health/logo.png new file mode 100644 index 0000000000..c8f4ce2225 Binary files /dev/null and b/quickstarts/account-security-health/logo.png differ