Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

Dashboard

Windows Account Management Dashboard

Dashboards

Description

Submitted by thall

Here is a dashboard that I have built to look at Windows Account Management events.  The dashboard utilizes a drill-down that will feed a multi-select which is using a dynamic search to give you fields that are available for the stats output in 2nd panel dependent on your selection. Add-on's: Splunk Add-on for Microsoft Windows - https://splunkbase.splunk.com/app/742/ Video overview of the dashboard and how to create this dashboard in your environment: https://youtu.be/pvWw1BCQo6s
3 0 
<form version="1.0">
  <label>Windows Account Management</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="wineventlog" source="WinEventLog:Security" CategoryString="Account Management" | stats count by signature | sort -count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="sig">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Looking at $sig$</title>
      <input type="multiselect" token="field2" searchWhenChanged="true">
        <label>Field Selection</label>
        <delimiter> </delimiter>
        <fieldForLabel>field</fieldForLabel>
        <fieldForValue>field</fieldForValue>
        <search>
          <query>index="wineventlog" source="WinEventLog:Security" CategoryString="Account Management" signature="$sig$" | fieldsummary | where count>0</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <default>host,user</default>
      </input>
      <table>
        <search>
          <query>index="wineventlog" source="WinEventLog:Security" CategoryString="Account Management" signature="$sig$" | stats count by _time $field2$</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Comments

0 total

Be the first to comment on this dashboard.

Leave a comment

You must log in to post a comment.

Ad slot: bottom