Here is a dashboard I built to look at Windows Logon Type 2 & 10 (remote & remote interactive) that will help identify which users access which servers and how many times. Also when you click on a user it will run a 30 day search and a 24 hour search that produces a column timechart of the hour that user logs in. My goal would be to have a sparkline in the first panel to show the hours each user logs in so you don’t have to drill-down.
It’s good to know who is accessing your machines and what their normal habit is.
<form theme="dark" version="1.0"> <label>Windows RDP sessions</label> <description>Logon Type 2 and 10 events</description> <fieldset submitButton="true"> <input type="time" token="time1"> <label>Select a Time:</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="text" token="field1"> <label>Filter:</label> <default>*</default> </input> </fieldset> <row> <panel> <title>Panels have been filtered to show: $field1$</title> <table> <search> <query>index=wineventlog $field1$ source=WinEventLog:Security EventCode="4624" Logon_Type="2" OR Logon_Type="10" | fillnull value=* Source_Network_Address | stats count by host Source_Network_Address Logon_Type user | eval bar="("+count+") "+Source_Network_Address | eval bar_host="("+count+") "+host| stats list(bar) values(bar_host) by user Logon_Type</query> <earliest>$time1.earliest$</earliest> <latest>$time1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="user">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Looking at $user$</title> <chart> <search> <query>index=wineventlog $field1$ EventCode=4624 Logon_Type=2 OR Logon_Type=10 earliest=-30d@d latest=-24h user=$user$ | fields _time | timechart count span=1h | eval hour = strftime(_time,"%H") | stats sum(count) as 30day by hour | join type=outer hour </query> <earliest>$time1.earliest$</earliest> <latest>$time1.latest$</latest> </search> <option name="charting.chart">area</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">1</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>
Thanks for sharing, i have a really silly question. How can i go about actually inputting this within Splunk?
Security Owl–From the “Search and Reporting” app, click Dashboards, then the big green button to create a new dashboard. Name the dashboard and click create. Now you are in the “edit dashboard” screen, click SOURCE, delete EVERYTHING there, and replace it with the above dashboard XML. -tv
The problem is that the User field input is not configured correctly. It does nothing actually. I’m working on fixing the input, test it and post the code here
Afternoon, the field input at the top of the dashboard is designed to be a generic filter and not tied to any specific field. If you want you can either enter a value or field=value and it should filter the dashboard accordingly. I pulled the dashboard in my home environment and everything works including the drilldown and the field input. Unless you a speaking of a different part of the dashboard.
travis
Keep getting WDM-(X) users when I use the Logon type 2. Anyone know of a way to actually identify this type of user?
Heads up… Login type 10 is remote interactive (i.e. RDP, Terminal Services, Remote Assistance), however login type 2 is an interactive login (i.e. by typing user name and password on Windows logon prompt).