Here is a dashboard I built to look at Windows Logon Type 2 & 10 (remote & remote interactive) that will help identify which users access which servers and how many times. Also when you click on a user it will run a 30 day search and a 24 hour search that produces a column timechart of the hour that user logs in. My goal would be to have a sparkline in the first panel to show the hours each user logs in so you don’t have to drill-down.
It’s good to know who is accessing your machines and what their normal habit is.
<form theme="dark" version="1.1">
<label>Windows RDP sessions</label>
<description>Logon Type 2 and 10 events</description>
<fieldset submitButton="true">
<input type="time" token="time1">
<label>Select a Time:</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="field1">
<label>Filter:</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Panels have been filtered to show: $field1$</title>
<table>
<search>
<query>index=wineventlog $field1$ source=WinEventLog:Security EventCode="4624" Logon_Type="2" OR Logon_Type="10" NOT Source_Network_Address="-" | fillnull value=* Source_Network_Address | stats count by host Source_Network_Address Logon_Type user | eval bar="("+count+") "+Source_Network_Address | eval bar_host="("+count+") "+host| stats list(bar) values(bar_host) by user Logon_Type</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="user">$click.value$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Looking at $user$</title>
<chart>
<search>
<query>index=wineventlog $field1$ EventCode=4624 Logon_Type=2 OR Logon_Type=10 earliest=-30d@d latest=-24h user=$user$ | fields _time | timechart count span=1h | eval hour = strftime(_time,"%H") | stats sum(count) as 30day by hour | join type=outer hour [search index=wineventlog $field1$ EventCode=4624 Logon_Type=2 OR Logon_Type=10 earliest=-24h user=$user$ | fields _time | timechart count span=1h | eval hour = strftime(_time,"%H") | stats sum(count) as 24h by hour]</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
Thanks for sharing, i have a really silly question. How can i go about actually inputting this within Splunk?
Security Owl–From the “Search and Reporting” app, click Dashboards, then the big green button to create a new dashboard. Name the dashboard and click create. Now you are in the “edit dashboard” screen, click SOURCE, delete EVERYTHING there, and replace it with the above dashboard XML. -tv
The problem is that the User field input is not configured correctly. It does nothing actually. I’m working on fixing the input, test it and post the code here
Afternoon, the field input at the top of the dashboard is designed to be a generic filter and not tied to any specific field. If you want you can either enter a value or field=value and it should filter the dashboard accordingly. I pulled the dashboard in my home environment and everything works including the drilldown and the field input. Unless you a speaking of a different part of the dashboard.
travis
Keep getting WDM-(X) users when I use the Logon type 2. Anyone know of a way to actually identify this type of user?
Heads up… Login type 10 is remote interactive (i.e. RDP, Terminal Services, Remote Assistance), however login type 2 is an interactive login (i.e. by typing user name and password on Windows logon prompt).
When I attempt to drill down on a user, the bottom panel returns with the error:
” Error in ‘from’ command: Invalid dataset specifier ‘hour’, expected dataset-type:dataset-name. Verify your search string.”
I’ve copied & pasted your text from above, only changing my index name in the query. Any suggestions would be appreciated, I’m a Splunk noob so I’m not sure
Thanks for bringing this to my attention.
Why you are getting the error is because the “join” command is looking for search that is not there.
There seems to be an issue with the GoSplunk site where part of the 2nd query that is wrapped in square brackets [ ] is not showing up in the post. However, when editing the post the whole query is there. I tried many ways to re-format the post, but was unsuccessful.
Here is the complete 2nd query, just remember to update the 2 spots with index=(your_index):
index=wineventlog $field1$ EventCode=4624 Logon_Type=2 OR Logon_Type=10 earliest=-30d@d latest=-24h user=$user$ | fields _time | timechart count span=1h | eval hour = strftime(_time,”%H”) | stats sum(count) as 30day by hour | join type=outer hour [search index=wineventlog $field1$ EventCode=4624 Logon_Type=2 OR Logon_Type=10 earliest=-24h user=$user$ | fields _time | timechart count span=1h | eval hour = strftime(_time,"%H") | stats sum(count) as 24h by hour]
travis