Created
November 14, 2018 15:41
-
-
Save trevorbryant/3373bf77ba031a7a9f62a923e3f486aa to your computer and use it in GitHub Desktop.
Splunk dashboard for Windows Event Collection - Logon Activities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<form> | |
<label>Windows Event Collection - Logon Activities</label> | |
<fieldset submitButton="false" autoRun="true"> | |
<input type="text" token="username" searchWhenChanged="true"> | |
<label>Username</label> | |
<default>*</default> | |
<initialValue>*</initialValue> | |
</input> | |
<input type="text" token="sid" searchWhenChanged="true"> | |
<label>Security ID</label> | |
<default>*</default> | |
<initialValue>*</initialValue> | |
</input> | |
<input type="text" token="computer" searchWhenChanged="true"> | |
<label>Computer Name (FQDN)</label> | |
<default>*</default> | |
<initialValue>*</initialValue> | |
</input> | |
<input type="time" token="time"> | |
<label>Time Range</label> | |
<default> | |
<earliest>-24h@h</earliest> | |
<latest>now</latest> | |
</default> | |
</input> | |
<input type="dropdown" token="lm" searchWhenChanged="true"> | |
<label>Logon Method</label> | |
<choice value="Logon_Type=*">All</choice> | |
<choice value="Logon_Type=2">Interactive</choice> | |
<choice value="Logon_Type=3">Network</choice> | |
<choice value="Logon_Type=4">Scheduled Task</choice> | |
<choice value="Logon_Type=5">Service Account</choice> | |
<choice value="Logon_Type=7">Unlock</choice> | |
<choice value="Logon_Type=8">Network Cleartext</choice> | |
<choice value="Logon_Type=9">New Credentials</choice> | |
<choice value="Logon_Type=10">Remote Desktop/Interactive</choice> | |
<choice value="Logon_Type=11">Cached Interactive</choice> | |
<default>Logon_Type=*</default> | |
<initialValue>Logon_Type=*</initialValue> | |
</input> | |
<input type="checkbox" token="filter1" searchWhenChanged="true"> | |
<label>Process Name Filter</label> | |
<choice value="Process_Name="C:\\Windows\\System32\\lsass.exe"">Show LSASS.exe</choice> | |
<choice value="Process_Name="C:\\Windows\\System32\\winlogon.exe" OR Process_Name="C:\\Windows\\System32\\svchost.exe"">Show Winlogon.exe</choice> | |
<delimiter> </delimiter> | |
<default>"Process_Name=""C:\\Windows\\System32\\winlogon.exe"" OR Process_Name=""C:\\Windows\\System32\\svchost.exe"""</default> | |
<initialValue>Process_Name="C:\\Windows\\System32\\winlogon.exe" OR Process_Name="C:\\Windows\\System32\\svchost.exe"</initialValue> | |
</input> | |
<input type="radio" searchWhenChanged="true" token="filter2"> | |
<label>Display Filter</label> | |
<choice value="_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"">Basic View</choice> | |
<choice value="_time, "Logon Method", "Domain", "Username", "Security ID", "Logon ID", "Hostname", "Process ID", "Process Name", "Remote Hostname", "Remote Host IP", "Remote Host Port"">Advanced View</choice> | |
<default>_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"</default> | |
<initialValue>_time, "Logon Method", "Domain", "Username", "Security ID", "Hostname"</initialValue> | |
</input> | |
</fieldset> | |
<row> | |
<panel> | |
<chart> | |
<title>Users with the most logons ( Top 10 )</title> | |
<search> | |
<query>index=windows LogName="Security" EventCode=4624 $lm$ | |
| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive") | |
| rex field=Message "New\sLogon\:\s(?<New_Logon>[\s\S]+)Process\sInformation\:\s(?<Process_Information>[\s\S]+)Network\sInformation\:\s(?<Network_Information>[\s\S]+)Detailed Authentication Information:" | |
| rex field=New_Logon "Security\sID:\s+(?<sec_id>[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?<acc_name>[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?<acc_domain>[A-Za-z0-9]+)\s+Logon\sID:\s+(?<logon_id>[xa-fA-F0-9]+)\s+" | |
| rex field=Process_Information "Process\sID:\s+(?<process_id>[A-Za-z0-9]+)\s+Process\sName:\s+(?<process_name>[A-Za-z0-9\\\_\-\:\.]+)" | |
| rename Account_Name as Username | |
| search $filter1$ | |
| stats dc(ComputerName) as host_count by Username | |
| sort - host_count limit=10</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
</search> | |
<option name="charting.chart">pie</option> | |
<option name="charting.chart.sliceCollapsingThreshold">0.0005</option> | |
</chart> | |
</panel> | |
<panel> | |
<chart> | |
<title>Count of Logon Method ( not including unlocks )</title> | |
<search> | |
<query>index=windows LogName="Security" EventCode=4624 Logon_Type!=7 | |
| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive") | |
| rex field=Message "New\sLogon\:\s(?<New_Logon>[\s\S]+)Process\sInformation\:\s(?<Process_Information>[\s\S]+)Network\sInformation\:\s(?<Network_Information>[\s\S]+)Detailed Authentication Information:" | |
| rex field=New_Logon "Security\sID:\s+(?<sec_id>[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?<acc_name>[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?<acc_domain>[A-Za-z0-9]+)\s+Logon\sID:\s+(?<logon_id>[xa-fA-F0-9]+)\s+" | |
| rex field=Process_Information "Process\sID:\s+(?<process_id>[A-Za-z0-9]+)\s+Process\sName:\s+(?<process_name>[A-Za-z0-9\\\_\-\:\.\s]+)" | |
| rename Account_Name as Username | |
| chart count(LogonMethod) by LogonMethod</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
</search> | |
<option name="charting.chart">pie</option> | |
</chart> | |
</panel> | |
</row> | |
<row> | |
<panel> | |
<table> | |
<title>Logon Activities</title> | |
<search> | |
<query>index=windows LogName="Security" EventCode=4624 $lm$ | |
| eval LogonMethod=case(Logon_Type == 2,"Interactive",Logon_Type == 3,"Network",Logon_Type == 4,"Scheduled Task",Logon_Type == 5,"Service Account",Logon_Type == 7,"Unlock",Logon_Type == 8,"Network Cleartext",Logon_Type == 9,"New Credentials",Logon_Type == 10,"Remote Desktop/Interactive",Logon_Type == 11,"Cached Interactive") | |
| eval Account_Domain=mvindex(Account_Domain, 1) | |
| eval Account_Name=mvindex(Account_Name, 1) | |
| eval Security_ID=mvindex(Security_ID, 1) | |
| rex field=Message "New\sLogon\:\s(?<New_Logon>[\s\S]+)Process\sInformation\:\s(?<Process_Information>[\s\S]+)Network\sInformation\:\s(?<Network_Information>[\s\S]+)Detailed Authentication Information:" | |
| rex field=New_Logon "Security\sID:\s+(?<sec_id>[a-zA-Z0-9\-]+)\s+Account\sName:\s+(?<acc_name>[A-Za-z0-9\_\-\.]+)\s+Account\sDomain:\s+(?<acc_domain>[A-Za-z0-9]+)\s+Logon\sID:\s+(?<logon_id>[xa-fA-F0-9]+)\s+" | |
| rex field=Process_Information "Process\sID:\s+(?<process_id>[A-Za-z0-9]+)\s+Process\sName:\s+(?<process_name>[A-Za-z0-9\\\_\-\:\.\s\(\)]+)" | |
| search Account_Name="$username$" Security_ID="$sid$" ComputerName="$computer$" $filter1$ | |
| eval process_id = tonumber(process_id, 16) | |
| eval logon_id = tonumber(logon_id, 16) | |
| rename LogonMethod as "Logon Method", Security_ID as "Security ID", Account_Name as "Username" Account_Domain as "Domain", Logon_ID as "Logon ID", Logon_GUID as "Logon GUID", Process_ID as "Process ID", Process_Name as "Process Name", ComputerName as "Hostname", Workstation_Name as "Remote Hostname", Source_Network_Address as "Remote Host IP", Source_Port as "Remote Host Port" | |
| table $filter2$ | sort - _time</query> | |
<earliest>$time.earliest$</earliest> | |
<latest>$time.latest$</latest> | |
</search> | |
<option name="count">50</option> | |
</table> | |
</panel> | |
</row> | |
</form> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment