trevorbryant/Windows Event Collection - Logon Activities

## Windows Event Collection - Logon Activities
<form>
  <label>Windows Event Collection - Logon Activities</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="username" searchWhenChanged="true">
      <label>Username</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="sid" searchWhenChanged="true">
      <label>Security ID</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="computer" searchWhenChanged="true">
      <label>Computer Name  (FQDN)</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="time" token="time">
      <label>Time Range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="lm" searchWhenChanged="true">
      <label>Logon Method</label>
      <choice value="Logon_Type=*">All</choice>
      <choice value="Logon_Type=2">Interactive</choice>
      <choice value="Logon_Type=3">Network</choice>
      <choice value="Logon_Type=4">Scheduled Task</choice>
      <choice value="Logon_Type=5">Service Account</choice>
      <choice value="Logon_Type=7">Unlock</choice>
      <choice value="Logon_Type=8">Network Cleartext</choice>
      <choice value="Logon_Type=9">New Credentials</choice>
      <choice value="Logon_Type=10">Remote Desktop/Interactive</choice>
      <choice value="Logon_Type=11">Cached Interactive</choice>
      <default>Logon_Type=*</default>
      <initialValue>Logon_Type=*</initialValue>
    </input>
    <input type="checkbox" token="filter1" searchWhenChanged="true">
      <label>Process Name Filter</label>
      <choice value="Process_Name=&quot;C:\\Windows\\System32\\lsass.exe&quot;">Show LSASS.exe</choice>
      <choice value="Process_Name=&quot;C:\\Windows\\System32\\winlogon.exe&quot; OR Process_Name=&quot;C:\\Windows\\System32\\svchost.exe&quot;">Show Winlogon.exe</choice>
      <delimiter> </delimiter>
      <default>"Process_Name=""C:\\Windows\\System32\\winlogon.exe"" OR Process_Name=""C:\\Windows\\System32\\svchost.exe"""</default>
      <initialValue>Process_Name="C:\\Windows\\System32\\winlogon.exe" OR Process_Name="C:\\Windows\\System32\\svchost.exe"</initialValue>
    </input>
    <input type="radio" searchWhenChanged="true" token="filter2">
      <label>Display Filter</label>
      <choice value="_time, &quot;Logon Method&quot;, &quot;Domain&quot;, &quot;Username&quot;, &quot;Security ID&quot;, &quot;Hostname&quot;">Basic View</choice>
      <choice value="_time, &quot;Logon Method&quot;, &quot;Domain&quot;, &quot;Username&quot;, &quot;Security ID&quot;, &quot;Logon ID&quot;, &quot;Hostname&quot;, &quot;Process ID&quot;, &quot;Process Name&quot;, &quot;Remote Hostname&quot;, &quot;Remote Host IP&quot;, &quot;Remote Host Port&quot;">Advanced View</choice>
      <default>_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"</default>
      <initialValue>_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Users with the most logons ( Top 10 )</title>
        <search>
          <query>index=windows LogName="Security" EventCode=4624 $lm$
| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive")
| rex field=Message "New\sLogon\:\s(?&lt;New_Logon&gt;[\s\S]+)Process\sInformation\:\s(?&lt;Process_Information&gt;[\s\S]+)Network\sInformation\:\s(?&lt;Network_Information&gt;[\s\S]+)Detailed Authentication Information:"
| rex field=New_Logon "Security\sID:\s+(?&lt;sec_id&gt;[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?&lt;acc_name&gt;[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?&lt;acc_domain&gt;[A-Za-z0-9]+)\s+Logon\sID:\s+(?&lt;logon_id&gt;[xa-fA-F0-9]+)\s+"
| rex field=Process_Information "Process\sID:\s+(?&lt;process_id&gt;[A-Za-z0-9]+)\s+Process\sName:\s+(?&lt;process_name&gt;[A-Za-z0-9\\\_\-\:\.]+)"
| rename Account_Name as Username
| search $filter1$
| stats dc(ComputerName) as host_count by Username
| sort - host_count limit=10</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.0005</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Count of Logon Method ( not including unlocks )</title>
        <search>
          <query>index=windows LogName="Security" EventCode=4624 Logon_Type!=7
| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive")
| rex field=Message "New\sLogon\:\s(?&lt;New_Logon&gt;[\s\S]+)Process\sInformation\:\s(?&lt;Process_Information&gt;[\s\S]+)Network\sInformation\:\s(?&lt;Network_Information&gt;[\s\S]+)Detailed Authentication Information:"
| rex field=New_Logon "Security\sID:\s+(?&lt;sec_id&gt;[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?&lt;acc_name&gt;[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?&lt;acc_domain&gt;[A-Za-z0-9]+)\s+Logon\sID:\s+(?&lt;logon_id&gt;[xa-fA-F0-9]+)\s+"
| rex field=Process_Information "Process\sID:\s+(?&lt;process_id&gt;[A-Za-z0-9]+)\s+Process\sName:\s+(?&lt;process_name&gt;[A-Za-z0-9\\\_\-\:\.\s]+)"
| rename Account_Name as Username
| chart count(LogonMethod) by LogonMethod</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Logon Activities</title>
        <search>
          <query>index=windows LogName="Security" EventCode=4624 $lm$
| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive")
| eval Account_Domain=mvindex(Account_Domain, 1)
| eval Account_Name=mvindex(Account_Name, 1)
| eval Security_ID=mvindex(Security_ID, 1)
| rex field=Message "New\sLogon\:\s(?&lt;New_Logon&gt;[\s\S]+)Process\sInformation\:\s(?&lt;Process_Information&gt;[\s\S]+)Network\sInformation\:\s(?&lt;Network_Information&gt;[\s\S]+)Detailed Authentication Information:"
| rex field=New_Logon "Security\sID:\s+(?&lt;sec_id&gt;[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?&lt;acc_name&gt;[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?&lt;acc_domain&gt;[A-Za-z0-9]+)\s+Logon\sID:\s+(?&lt;logon_id&gt;[xa-fA-F0-9]+)\s+"
| rex field=Process_Information "Process\sID:\s+(?&lt;process_id&gt;[A-Za-z0-9]+)\s+Process\sName:\s+(?&lt;process_name&gt;[A-Za-z0-9\\\_\-\:\.\s\(\)]+)"
| search Account_Name="$username$" Security_ID="$sid$" ComputerName="$computer$" $filter1$
| eval process_id = tonumber(process_id, 16)
| eval logon_id = tonumber(logon_id, 16)
| rename LogonMethod as "Logon Method", Security_ID as "Security ID", Account_Name as "Username" Account_Domain as "Domain", Logon_ID as "Logon ID", Logon_GUID as "Logon GUID", Process_ID as "Process ID", Process_Name as "Process Name", ComputerName as "Hostname", Workstation_Name as "Remote Hostname", Source_Network_Address as "Remote Host IP", Source_Port as "Remote Host Port"
| table $filter2$ | sort - _time</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">50</option>
      </table>
    </panel>
  </row>
</form>
	<form>
	<label>Windows Event Collection - Logon Activities</label>
	<fieldset submitButton="false" autoRun="true">
	<input type="text" token="username" searchWhenChanged="true">
	<label>Username</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="text" token="sid" searchWhenChanged="true">
	<label>Security ID</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="text" token="computer" searchWhenChanged="true">
	<label>Computer Name (FQDN)</label>
	<default>*</default>
	<initialValue>*</initialValue>
	</input>
	<input type="time" token="time">
	<label>Time Range</label>
	<default>
	<earliest>-24h@h</earliest>
	<latest>now</latest>
	</default>
	</input>
	<input type="dropdown" token="lm" searchWhenChanged="true">
	<label>Logon Method</label>
	<choice value="Logon_Type=*">All</choice>
	<choice value="Logon_Type=2">Interactive</choice>
	<choice value="Logon_Type=3">Network</choice>
	<choice value="Logon_Type=4">Scheduled Task</choice>
	<choice value="Logon_Type=5">Service Account</choice>
	<choice value="Logon_Type=7">Unlock</choice>
	<choice value="Logon_Type=8">Network Cleartext</choice>
	<choice value="Logon_Type=9">New Credentials</choice>
	<choice value="Logon_Type=10">Remote Desktop/Interactive</choice>
	<choice value="Logon_Type=11">Cached Interactive</choice>
	<default>Logon_Type=*</default>
	<initialValue>Logon_Type=*</initialValue>
	</input>
	<input type="checkbox" token="filter1" searchWhenChanged="true">
	<label>Process Name Filter</label>
	<choice value="Process_Name="C:\\Windows\\System32\\lsass.exe"">Show LSASS.exe</choice>
	<choice value="Process_Name="C:\\Windows\\System32\\winlogon.exe" OR Process_Name="C:\\Windows\\System32\\svchost.exe"">Show Winlogon.exe</choice>
	<delimiter> </delimiter>
	<default>"Process_Name=""C:\\Windows\\System32\\winlogon.exe"" OR Process_Name=""C:\\Windows\\System32\\svchost.exe"""</default>
	<initialValue>Process_Name="C:\\Windows\\System32\\winlogon.exe" OR Process_Name="C:\\Windows\\System32\\svchost.exe"</initialValue>
	</input>
	<input type="radio" searchWhenChanged="true" token="filter2">
	<label>Display Filter</label>
	<choice value="_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"">Basic View</choice>
	<choice value="_time, "Logon Method", "Domain", "Username", "Security ID", "Logon ID", "Hostname", "Process ID", "Process Name", "Remote Hostname", "Remote Host IP", "Remote Host Port"">Advanced View</choice>
	<default>_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"</default>
	<initialValue>_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"</initialValue>
	</input>
	</fieldset>
	<row>
	<panel>
	<chart>
	<title>Users with the most logons ( Top 10 )</title>
	<search>
	<query>index=windows LogName="Security" EventCode=4624 $lm$
	\| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive")
	\| rex field=Message "New\sLogon\:\s(?<New_Logon>[\s\S]+)Process\sInformation\:\s(?<Process_Information>[\s\S]+)Network\sInformation\:\s(?<Network_Information>[\s\S]+)Detailed Authentication Information:"
	\| rex field=New_Logon "Security\sID:\s+(?<sec_id>[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?<acc_name>[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?<acc_domain>[A-Za-z0-9]+)\s+Logon\sID:\s+(?<logon_id>[xa-fA-F0-9]+)\s+"
	\| rex field=Process_Information "Process\sID:\s+(?<process_id>[A-Za-z0-9]+)\s+Process\sName:\s+(?<process_name>[A-Za-z0-9\\\_\-\:\.]+)"
	\| rename Account_Name as Username
	\| search $filter1$
	\| stats dc(ComputerName) as host_count by Username
	\| sort - host_count limit=10</query>
	<earliest>$time.earliest$</earliest>
	<latest>$time.latest$</latest>
	</search>
	<option name="charting.chart">pie</option>
	<option name="charting.chart.sliceCollapsingThreshold">0.0005</option>
	</chart>
	</panel>
	<panel>
	<chart>
	<title>Count of Logon Method ( not including unlocks )</title>
	<search>
	<query>index=windows LogName="Security" EventCode=4624 Logon_Type!=7
	\| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive")
	\| rex field=Message "New\sLogon\:\s(?<New_Logon>[\s\S]+)Process\sInformation\:\s(?<Process_Information>[\s\S]+)Network\sInformation\:\s(?<Network_Information>[\s\S]+)Detailed Authentication Information:"
	\| rex field=New_Logon "Security\sID:\s+(?<sec_id>[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?<acc_name>[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?<acc_domain>[A-Za-z0-9]+)\s+Logon\sID:\s+(?<logon_id>[xa-fA-F0-9]+)\s+"
	\| rex field=Process_Information "Process\sID:\s+(?<process_id>[A-Za-z0-9]+)\s+Process\sName:\s+(?<process_name>[A-Za-z0-9\\\_\-\:\.\s]+)"
	\| rename Account_Name as Username
	\| chart count(LogonMethod) by LogonMethod</query>
	<earliest>$time.earliest$</earliest>
	<latest>$time.latest$</latest>
	</search>
	<option name="charting.chart">pie</option>
	</chart>
	</panel>
	</row>
	<row>
	<panel>
	<table>
	<title>Logon Activities</title>
	<search>
	<query>index=windows LogName="Security" EventCode=4624 $lm$
	\| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive")
	\| eval Account_Domain=mvindex(Account_Domain, 1)
	\| eval Account_Name=mvindex(Account_Name, 1)
	\| eval Security_ID=mvindex(Security_ID, 1)
	\| rex field=Message "New\sLogon\:\s(?<New_Logon>[\s\S]+)Process\sInformation\:\s(?<Process_Information>[\s\S]+)Network\sInformation\:\s(?<Network_Information>[\s\S]+)Detailed Authentication Information:"
	\| rex field=New_Logon "Security\sID:\s+(?<sec_id>[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?<acc_name>[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?<acc_domain>[A-Za-z0-9]+)\s+Logon\sID:\s+(?<logon_id>[xa-fA-F0-9]+)\s+"
	\| rex field=Process_Information "Process\sID:\s+(?<process_id>[A-Za-z0-9]+)\s+Process\sName:\s+(?<process_name>[A-Za-z0-9\\\_\-\:\.\s\(\)]+)"
	\| search Account_Name="$username$" Security_ID="$sid$" ComputerName="$computer$" $filter1$
	\| eval process_id = tonumber(process_id, 16)
	\| eval logon_id = tonumber(logon_id, 16)
	\| rename LogonMethod as "Logon Method", Security_ID as "Security ID", Account_Name as "Username" Account_Domain as "Domain", Logon_ID as "Logon ID", Logon_GUID as "Logon GUID", Process_ID as "Process ID", Process_Name as "Process Name", ComputerName as "Hostname", Workstation_Name as "Remote Hostname", Source_Network_Address as "Remote Host IP", Source_Port as "Remote Host Port"
	\| table $filter2$ \| sort - _time</query>
	<earliest>$time.earliest$</earliest>
	<latest>$time.latest$</latest>
	</search>
	<option name="count">50</option>
	</table>
	</panel>
	</row>
	</form>