Skip to content

Instantly share code, notes, and snippets.

@idlethreat

idlethreat/content_pack.json

Created August 4, 2017 19:45
Show Gist options
  • Save idlethreat/902cd543dfa328430b6789601105ff7f to your computer and use it in GitHub Desktop.
Save idlethreat/902cd543dfa328430b6789601105ff7f to your computer and use it in GitHub Desktop.
Download ZIP
Graylog Windows Login Events
Raw
content_pack.json
{
"name":"Windows Logon Events",
"description":"Windows Logon Events",
"category":"Windows",
"inputs":[
],
"streams":[
],
"outputs":[
],
"dashboards":[
{
"title":"Windows Logon Events",
"description":"Windows Logon Events",
"dashboard_widgets":[
{
"description":"Logon Type 2 – Interactive - 48h - List",
"type":"QUICKVALUES",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"field":"TargetUserName",
"show_pie_chart":false,
"query":"\"Logon Type:\t\t\t2\"",
"show_data_table":true
},
"col":1,
"row":1,
"height":3,
"width":1
},
{
"description":"Logon Type 7 – Unlock - 48h",
"type":"QUICKVALUES",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"field":"TargetUserName",
"show_pie_chart":false,
"query":"\"Logon Type:\t\t\t7\"",
"show_data_table":true
},
"col":1,
"row":13,
"height":3,
"width":1
},
{
"description":"Logon Type 3 – Network - 48h - Users",
"type":"QUICKVALUES",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"field":"TargetUserName",
"show_pie_chart":false,
"query":"\"Logon Type:\t\t\t3\"",
"show_data_table":true
},
"col":1,
"row":4,
"height":3,
"width":1
},
{
"description":"Logon Type 8 – NetworkCleartext - Users",
"type":"QUICKVALUES",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"field":"TargetUserName",
"show_pie_chart":false,
"query":"\"Logon Type:\t\t\t8\"",
"show_data_table":true
},
"col":1,
"row":16,
"height":3,
"width":1
},
{
"description":"Logon Type 4 – Batch - 48h - Users",
"type":"QUICKVALUES",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"field":"TargetUserName",
"show_pie_chart":false,
"query":"\"Logon Type:\t\t\t4\"",
"show_data_table":true
},
"col":1,
"row":7,
"height":3,
"width":1
},
{
"description":"Logon Type 9 – NewCredentials - 48h",
"type":"SEARCH_RESULT_COUNT",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"lower_is_better":false,
"trend":false,
"query":"\"Logon Type:\t\t\t9\""
},
"col":1,
"row":19,
"height":1,
"width":1
},
{
"description":"(Success) Logon Type 10 – RemoteInteractive - Users",
"type":"QUICKVALUES",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"field":"TargetUserName",
"show_pie_chart":false,
"query":"\"Logon Type:\t\t\t10\" AND EventType:AUDIT_SUCCESS",
"show_data_table":true
},
"col":1,
"row":20,
"height":3,
"width":1
},
{
"description":"Logon Type 5 – Service - Users",
"type":"QUICKVALUES",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"field":"TargetUserName",
"show_pie_chart":false,
"query":"\"Logon Type:\t\t\t5\"",
"show_data_table":true
},
"col":1,
"row":10,
"height":3,
"width":1
},
{
"description":"(Fail) Logon Type 10 – RemoteInteractive - Users",
"type":"SEARCH_RESULT_COUNT",
"cache_time":10,
"configuration":{
"timerange":{
"type":"relative",
"range":172800
},
"lower_is_better":false,
"trend":false,
"query":"\"Logon Type:\t\t\t10\" AND EventType:AUDIT_FAILURE"
},
"col":1,
"row":23,
"height":1,
"width":1
}
]
}
],
"grok_patterns":[
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment