[Post ATO] Write a Kibana dashboard to meet control AU.2.a #225
Description
As a product owner, I need a Kibana dashboard that shows all of the logs in Kibana that contain the following items:
The organization shall determine that the information system is capable of auditing the following events [per ICS 500-27, Collection and Sharing of Audit Data, all Iss shall be capable of auditing success or failure of the following events]:1. Authentication events;(1) Logons (Success/Failure)(2) Logoffs (Success)2. File and Objects events;(1) Create (Success/Failure)(2) Access (Success/Failure)(3) Delete (Success/Failure)(4) Modify (Success/Failure)(5) Permission Modification (Success/Failure)(6) Ownership Modification (Success/Failure)3. Writes/downloads to external devices/media (e.g., A-Drive, CD/DVD devices/printers) (Success/Failure);4. Uploads from external devices (e.g., CD/DVD drives) (Success/Failure);5. User and Group Management events;(1) User add, delete, modify, suspend, lock (Success/Failure) (2) Group/Role add, delete, modify (Success/Failure) 6. Use of Privileged/Special Rights events; (1) Security or audit policy changes (Success/Failure) (2) Configuration changes (Success/Failure) 7. Admin or root-level access (Success/Failure); 8. Privilege/Role escalation (Success/Failure); 9. Audit and log data accesses (Success/Failure); 10. System reboot, restart, and shutdown (Success/Failure); 11. Print to a device (Success/Failure);12. Print to a file (e.g., PDF format) (Success/Failure); 13. Application (e.g., Firefox, Internet Explorer, MS Office Suite, etc.) initialization (Success/Failure); 14. Export of information (Success/Failure) include (e.g., to CDRW, thumb drives, or remote systems); and 15. Import of information (Success/Failure) include (e.g., from CDRW, thumb drives, or remote systems)[Source: NIST SP 800-53 AU-2, ICS 500-27, CNSSI 1253F Attachment 3 (CDS Overlays) AU-2, CNSSI 1253F Attachment 6 (Privacy Overlays) AU-2, and NIST SP 800-161 (including the SCRM Overlay) SCRM AU-2]
List above updated to reflect items which can be retrieved through application audit events currently available within logsearch/kibana. Items with a strikethrough are items which can not be currently captured through audit events/messages in logsearch/kibana.