High Level Windows Dashboard -

Part 1 – User Logon Activity

The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized that the focus of this dashboard is fairly high level, has a time picker (defaulting to 7 days) and shows both successful and failed user logons (table and timechart) as well as logon duration, general Windows Authentication Events, and some common eventcodes associated with each user. Depending on the number of users in your environment the last panel/query may need to be modified as it is using a “| stats values(user)” for the list of users per eventcode. Panels use color where it makes sense for me, such as in the case of user names, and host names. I’ll include another Windows Dashboard (Part 2) in the future.

<form>
  <label>Windows Security Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="timepicker">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Failed Logon Attempts</title>
      <table>
        <search>
          <query>index=windows_events source="WinEventLog:security" EventCode=4625 
| eval hammer=_time
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host)
| bucket span=5m hammer 
| stats count sparkline by user host, hammer, Workstation_Name
| rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("5 minute blocks")</query>
          <earliest>$timepicker.earliest$</earliest>
          <latest>$timepicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="Target Host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="Source Host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Timechart of Failed Attempts to Logon</title>
      <chart>
        <search>
          <query>index=windows_events source="WinEventLog:security" EventCode=4625 
| timechart span=1h count by host</query>
          <earliest>$timepicker.earliest$</earliest>
          <latest>$timepicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Successful Logons</title>
      <table>
        <search>
          <query>index=windows_events source="WinEventLog:security" EventCode=4624 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11) user!="DWM-*" user!="UMFD-*"
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host)
| eval hammer=_time 
| bucket span=1d@d hammer 
| stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name
| rename hammer as "Start of Day" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("Start of Day")
| sort - "Start of Day"</query>
          <earliest>$timepicker.earliest$</earliest>
          <latest>$timepicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="Target Host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="Source Host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
    <panel>
      <title>Timechart of Successful Logons</title>
      <chart>
        <search>
          <query>index=windows_events source="WinEventLog:security" EventCode=4624 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11) user!="DWM-*" user!="UMFD-*"
| timechart span=1h count by host</query>
          <earliest>$timepicker.earliest$</earliest>
          <latest>$timepicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Windows Authentication events</title>
      <table>
        <search>
          <query>index=windows_events source="wineventlog:security" action=success (EventCode=4624 OR EventCode=4634 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date 
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host, user
| eval session_duration=logout-login
| where session_duration &gt; 5
| eval h=floor(session_duration/3600) 
| eval m=floor((session_duration-(h*3600))/60) 
| eval SessionDuration=h."h ".m."m " 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user
| sort + login</query>
          <earliest>$timepicker.earliest$</earliest>
          <latest>$timepicker.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Common Event Codes - 10,000 foot view</title>
      <table>
        <search>
          <query>index="windows_events" source="wineventlog:security" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!="LOCAL SERVICE" user!="NETWORK SERVICE" user!="*$$" user!="ANONYMOUS LOGON" user!="IUSR"
| eval Trigger=case(EventCode=516, "Audit Logs Modified",EventCode=517, "Audit Logs Modified",EventCode=612, "Audit Logs Modified",EventCode=623, "Audit Logs Modified",EventCode=806, "Audit Logs Modified",EventCode=807, "Audit Logs Modified",EventCode=1101, "Audit Logs Modified",EventCode=1102, "Audit Logs Modified",EventCode=4612, "Audit Logs Modified",EventCode=4621, "Audit Logs Modified",EventCode=4694, "Audit Logs Modified",EventCode=4695, "Audit Logs Modified",EventCode=4715, "Audit Logs Modified",EventCode=4719, "Audit Logs Modified",EventCode=4817, "Audit Logs Modified",EventCode=4885, "Audit Logs Modified",EventCode=4902, "Audit Logs Modified",EventCode=4906, "Audit Logs Modified",EventCode=4907, "Audit Logs Modified",EventCode=4912, "Audit Logs Modified", EventCode=642, "Account Modification",EventCode=646, "Account Modification",EventCode=685, "Account Modification",EventCode=4738, "Account Modification",EventCode=4742, "Account Modification",EventCode=4781, "Account Modification", EventCode=1102, "Audit Logs Cleared/Deleted",EventCode=517, "Audit Logs Cleared/Deleted", EventCode=628, "Passwords Changed",EventCode=627, "Passwords Changed",EventCode=4723, "Passwords Changed",EventCode=4724, "Passwords Changed", EventCode=528, "Successful Logons",EventCode=540, "Successful Logons",EventCode=4624, "Successful Logons", EventCode=4625, "Failed Logons",EventCode=529, "Failed Logons",EventCode=530, "Failed Logons",EventCode=531, "Failed Logons",EventCode=532, "Failed Logons",EventCode=533, "Failed Logons",EventCode=534, "Failed Logons",EventCode=535, "Failed Logons",EventCode=536, "Failed Logons",EventCode=537, "Failed Logons",EventCode=539, "Failed Logons", EventCode=576, "Escalation of Privileges",EventCode=4672, "Escalation of Privileges",EventCode=577, "Escalation of Privileges",EventCode=4673, "Escalation of Privileges",EventCode=578, "Escalation of Privileges",EventCode=4674, "Escalation of Privileges") 
| stats earliest(_time) as Initial_Occurrence latest(_time) as Latest_Occurrence values(user) as Users values(host) as Hosts count sparkline by Trigger
| sort - count
| convert ctime(Initial_Occurrence) ctime(Latest_Occurrence)</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Trigger">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

Comments

Neil K January 17, 2019 at 3:54 pm

How do you input all of this information? I am working in Splunk 7.2.3. when I input this XML in the Dashboard > Source, I get error(s): Error parsing XML on line 25: Premature end of data in tag form line 1.
I would like to try this dashboard to see how it looks. Are some of the tags missing at the end?

Thanks!

1. SplunkNinja January 18, 2019 at 6:55 am
  
  Neil,
  Please give this a shot again. I updated the xml escape tags to hopefully work this time. I’ve tested it on both Firefox and Chrome as of the time of this post.
  
  Thanks for the comment and letting me know!
  
Mike February 28, 2019 at 3:33 pm

I’m new to Splunk, so do you just copy this into the search bar?

1. SplunkNinja March 11, 2019 at 11:57 am
  
  Mike,
  You would create a new dashboard, and copy and paste the xml into the “source” of the dashboard. This can all be done within the web interface.
  
  If you have any issues, please join our discord!
  
  https://discord.gg/fFJhGPw
  
John Roeser May 8, 2019 at 9:05 am

Hi SplunkNinja! This dashboard looks great but I am getting “No results found” in each of the windows. Forgive me, Im a noob to splunk. I have hosts added and when doing standard searches it works. Do i need to tweak the code to look at specific instances or will it simply look at all hosts i have? Thanks!

1. SplunkNinja May 8, 2019 at 11:56 am
  
  The only thing you’ll need to change is the index= section. Currently it says index=windows_events, change that to the index name where your windows data lives. If you don’t know you can do index=* but that is not best practice.
  
Donbabs June 21, 2019 at 2:45 pm

When is part 2 coming?

1. SplunkNinja July 9, 2019 at 3:53 pm
  
  Hopefully soon :)
  
Andrea January 17, 2020 at 9:24 am

Great Dashboard!
Just have to obviously change the index & source according to internal references.
Anything similar for Linux out there?
Thanks a lot for all your help!

Armando Dsouga January 30, 2020 at 12:04 pm

@Splunk Ninja,
New to the forum, accidentally clicked on the vote down… is there a way to undo it?

itsmevic February 26, 2020 at 8:57 am

Splunk Ninja, remind me to buy you a beer and steak. I love the dashboard! Look forward to part 2 and more from you!

mbeauc636 April 30, 2021 at 3:50 pm

Great dashboard ! Thanks

Splunk Query Repository

High Level Windows Dashboard

Part 1 – User Logon Activity

Comments

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

High Level Windows Dashboard

Part 1 – User Logon Activity

Related Queries

Dashboard sourcetype validation

NIX Debian Package (dpkg.log) Dashboard

Dashboard to measure Indexes and Sourcetypes, based upon first and last date of events

Comments

Leave A Comment? Click here to cancel reply.