Read: 22 mins.
Print Friendly, PDF & Email

Making Sense of Data

Nearly two years ago, I wrote an article about Active Directory account lockouts with troubleshooting tips for locating their possible causes. It also touched on PowerShell scripts, native Windows commands, Microsoft tools, and Splunk to gather data for the investigations. My favorite by far had been Splunk, a SIEM (Security Information and Event Management) tool that aggregated logs from various sources so SPL (Search Processing Language) queries could be written to extract time-correlated information. I had been making regular iterations to those queries over the years that have helped my IT colleagues stop account lockouts from happening. Nonetheless, trying to make sense of all the data could be mind-boggling and time consuming!

See my Active Directory Account Lockouts and Modifications article to learn how to analyze account events with Windows Event IDs and Logon Types.

Thankfully, there is a beautiful way to visualize all the data that Splunk queries produce: Dashboards.

Splunk Dashboards

Dashboards, according to Splunk, are “views that are made up of panels. The panels can contain modules such as search boxes, fields, charts, tables, and lists. Dashboard panels are usually connected to reports.” Below are two Dashboards I recently created to help our IT Operations team gain a better grasp of:

  • Seeing how many accounts are failing authentication over a specific time period
  • Troubleshooting lockouts for a given account
  • Identifying data or behavior patterns

There are multiple ways of creating Splunk Dashboards, including an interactive, graphical editor and programmatically with SimpleXML. This article is not about how to create Dashboards as the company already has great documentation and free training available. There are also various tutorials on YouTube (here and here). I do want to share with you my SimpleXML source codes to recreate the two Dashboards referenced above.

Create Dashboard with SimpleXML

Here are the steps on how to create my two AD Lockout Dashboards by copying my SimpleXML source codes into your Splunk environment. The source codes can be found below.

Open the Dashboard Editor

  • Go to the Dashboards tab and click on the Create New Dashboard button
Splunk: Dashboards Tab

Dashboards Tab

  • Provide an ID, such as “ad_account_lockout”, and click on the Create Dashboard button
Splunk: Create Dashboard

Create Dashboard

  • There are two editing methods available on the Dashboard Editor screen: UI and Source
Splunk: Dashboard Editor

Dashboard Editor

    • UI is an interactive, graphical editor with which you can add Panels and Inputs
    • Source is where SimpleXML is used to programmatically create and customize Dashboards
  • Click on the Source button
  • Paste one of my SimpleXML source codes and switch to the UI method
  • You can now modify the Dashboard for your environment
    • Click the magnifying glass of each Panel to enter the Edit Search window
Splunk Dashboard - Panel: Edit Search

Panel: Edit Search

    • Point the SPL query to your specific Splunk index that holds the Active Directory Security event logs (Example: index=”yuenx_win_sec”)
      • Tip: Perform a Search and Replace of the source code to replace with the index to be used

Dashboard SimpleXML Source Codes

Event ID 4767 (Unlock): The Splunk queries provided here currently include events where the queried user is the one who performed an unlock operation. I have not yet added logic to exclude them. This can skew results when looking for events where the queried user itself was unlocked by someone else. In other words, the queries currently include events where either the user was unlocked or the user performed the unlock on another account.

Click on the tabs below to see the respective source code for my AD Lockout Dashboards. Refer to my Active Directory Account Lockouts and Modifications article for the foundation needed to modify the SPL queries shared in this post.

<form>
<label>AD Lockouts - Single Account Troubleshooting</label>
<fieldset submitButton="false" autoRun="false">
<input type="text" token="account_sAM" searchWhenChanged="true">
<label>Account (sAMAccountName)</label>
</input>
<input type="time" token="time_Recent" searchWhenChanged="true">
<label>Recent Events* - Charts</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_TimelineRecent" searchWhenChanged="true">
<label>Recent Timelines</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_TimelineExpanded" searchWhenChanged="true">
<label>Expanded Timelines</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_RealTimeWindow" searchWhenChanged="true">
<label>Real-Time Window</label>
<default>
<earliest>rt-60m</earliest>
<latest>rt</latest>
</default>
</input>
<input type="time" token="time_EventsRecent" searchWhenChanged="true">
<label>Recent Events^ - Tables</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<strong style="font-size:1.1em;">Purpose:</strong> This dashboard is designed to help troubleshoot Active Directory account lockouts.
<strong style="font-size:1.1em;">Tip:</strong> See <a href="https://www.yuenx.com/2019/active-directory-account-lockouts-locating-the-source-bonus-account-modifications" target="_blank">YuenX</a> for guidance on how to locate potential lockout sources, what occurs when locks happen, and more.
<br/>
<strong style="font-size:1.1em;color:#0A0;">Lockout Summary for All Accounts:</strong> Use this <a href="https://splunk.yuenx.com:8000/en-US/app/search/ad_account_lockout" target="_blank">Splunk Dashboard</a>.
</html>
</panel>
</row>
<row>
<panel>
<title>"Locked" Events / Recent*</title>
<single>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| stats count(Account)</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<!--<option name="height">143</option>-->
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">240</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-1d</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>"Locked" Events / Recent Timeline</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| rename EventCode as "Locked"
| timechart count by Locked</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Event ID: 4740 + 644</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Modification Events / Expanded Timeline</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4738 OR EventCode=4723 OR EventCode=4724 OR EventCode=4767 OR EventCode=4725 OR EventCode=4722 OR EventCode=4726)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| rename EventCode as "Failures"
| timechart count by Failures cont=false</query>
<earliest>$time_TimelineExpanded.earliest$</earliest>
<latest>$time_TimelineExpanded.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">top</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<viz type="timeline_app.timeline">
<title>"Locked" Events (Heatmap) - Recent Timeline</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| sort by Account
| table _time, Account</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="height">100</option>
<option name="refresh.display">preview</option>
<option name="timeline_app.timeline.axisTimeFormat">DAYS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">0</option>
</viz>
</panel>
</row>
<row>
<panel>
<title>Failure Events / Recent Timeline</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777 OR EventCode=4767)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| rename EventCode as "Failures"
| timechart count by Failures cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>CALLER_MACHINE / Recent*</title>
<chart>
<title>"Locked" Events</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="N/A" Caller_Machine
| stats count by Caller_Machine</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>CALLER_MACHINE / Recent*</title>
<chart>
<title>Failures (WiFi: ise)</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="N/A" Caller_Machine
| stats count by Caller_Machine</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
<panel>
<title>LOGON_TYPE / Recent*</title>
<chart>
<title>Failures</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Logon_Type
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
<panel>
<title>SOURCE_NETWORK_ADDRESS / Recent*</title>
<chart>
<title>Failures (Often Non-Windows)</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Source_Network_Address=if(Source_Network_Address=="-", "N/A", Source_Network_Address)
| stats count by Source_Network_Address</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Logged by DC / Recent*</title>
<chart>
<title>"Locked" Events</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Computer=if(ComputerName!= NULL, ComputerName, ComputerName) | fillnull Value="N/A" Computer
| stats count by Computer</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>Logged by Computer / Recent*</title>
<chart>
<title>Failures (VPN: nps)</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Computer=if(ComputerName!= NULL, ComputerName, ComputerName) | fillnull Value="N/A" Computer
| stats count by Computer</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>WORKSTATION / Recent*</title>
<chart>
<title>Failures</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Workstation_Name=if(Workstation_Name=="-", "N/A", Workstation_Name)
| stats count by Workstation_Name</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#fff; background:#008000; padding: 3px 5px;">Info</span> <span style="font-weight:bold; color:#080;">Logon Processes</span> - How account attempted to authenticate when it <span style="color:#f00">FAILED</span>.
<br/>
<span style="font-weight:bold; color:#800;">CALLER_/PROCESS_NAME</span> - <strong>Lsass</strong>: Initiates Windows authentication | <strong>SvcHost/Services</strong>: Launches Windows service(s).
<br/>
<span style="font-weight:bold; color:#800;">LOGON_PROCESS</span> - <strong>Advapi</strong>: IIS web logon | <strong>IAS</strong>: Remote access (ie. VPN) via NPS/MS' RADIUS | <strong>Kerberos</strong>: Default Windows auth since 2000 | <strong>NtLmSsp</strong>: Windows auth pre-2000 (NTLM) | <strong>Schannel</strong>: Secure auth (ie. IIS TLS/SSL website with auth) | <strong>User32</strong>: Windows User Interface (ie. TS logon prompt).
</html>
</panel>
</row>
<row>
<panel>
<title>CALLER_PROCESS_NAME / Recent*</title>
<chart>
<title>Logon Initiator</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Caller_Process_Name
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>PROCESS_NAME / Recent*</title>
<chart>
<title>Logon Initiator</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Process_Name
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>LOGON_PROCESS / Recent*</title>
<chart>
<title>Auth Processor</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Logon_Process
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>AUTHENTICATION_PACKAGE / Recent*</title>
<chart>
<title>Auth Method (MsAuthPkg = NTLM)</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| rename "Authentication_Package" as "Auth_Package"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| stats count by Auth_Package
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#fff; background:#008000; padding: 3px 5px;">Info</span> <span style="font-weight:bold; color:#080;">Workstation Activity</span> - Only SERVERS are shown unless events are also logged from users' computers.
<br/>
<span style="font-weight:bold; color:#800;">
<strong>Session</strong>
</span>: Applies to remote desktop sessions or when a user fast-switched on the same computer.
<br/>
<span style="font-weight:bold; color:#800;">
<strong>Workstation</strong>
</span>: When a computer's console is manually/automatically locked or a user returned and successfully unlocked.
</html>
</panel>
</row>
<row>
<panel>
<title>Session Disconnects / Recent*</title>
<chart>
<title>Disconnects may cause locks</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4779)
| stats count by ComputerName</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
<panel>
<title>Sessions / Recent Timeline</title>
<chart>
<title>Terminal Session / Fast User Switch</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4778 OR EventCode=4779)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| timechart count by EventCode cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">top</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Session Reconnects / Recent*</title>
<chart>
<title>Successful reconnect</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4778)
| stats count by ComputerName</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Workstation Locks / Recent*</title>
<chart>
<title>Automatic or manual lock</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4800)
| stats count by ComputerName</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
<panel>
<title>Workstation Locks or Unlocks / Recent Timeline</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4800 OR EventCode=4801)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| timechart count by EventCode cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">top</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Workstation Unlocks / Recent*</title>
<chart>
<title>Successful unlock</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4801)
| stats count by ComputerName</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Cisco VPN Logins / Recent Timeline</title>
<chart>
<title>Failures (Logon_Process: IAS)</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ EventCode=4625 Logon_Process="IAS" (Authentication_Package="MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" OR Authentication_Package="NTLM") ComputerName="nps-*"
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| timechart count by ComputerName cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">small</option>
<option name="trellis.splitBy">Time</option>
</chart>
</panel>
<panel>
<title>Cisco VPN Logins / Recent Timeline</title>
<chart>
<title>Successes (Logon_Process: IAS)</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ EventCode=4624 Logon_Process="IAS" (Authentication_Package="MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" OR Authentication_Package="NTLM") ComputerName="nps-*"
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| timechart count by ComputerName cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">area</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">small</option>
<option name="trellis.splitBy">Time</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#000; background:#FFDF7F; padding: 3px 5px;">Notice</span> A <strong>"4740 Locked"</strong> event does NOT necessarily indicate SOURCE of lockout.
</html>
</panel>
</row>
<row>
<panel>
<title>Events of Interest / Real-Time (30 sec refresh)</title>
<table>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ OR Account_Name="[email protected]*"
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4771 OR EventCode=4770 OR EventCode=4768 OR EventCode=4776 OR EventCode=4777 OR EventCode=4725 OR EventCode=4723 OR EventCode=4724 OR EventCode=4767) OR (EventCode=4624 OR EventCode=4648 OR EventCode=4767 OR EventCode=12294 OR EventCode=4725 OR EventCode=4722 OR EventCode=4724 OR EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, Failure_Reason, Client_Address, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Workstation_Name, Src_Netw_Addr</query>
<earliest>$time_RealTimeWindow.earliest$</earliest>
<latest>$time_RealTimeWindow.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>LOCKOUT-Related Events / Recent</title>
<table>
<title>Without Kerberos Events / Recent^</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777 OR EventCode=4725 OR EventCode=4723 OR EventCode=4724 OR EventCode=4767 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, Failure_Reason, Client_Address, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Workstation_Name, Src_Netw_Addr</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
<table>
<title>Kerberos Events / Recent^</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ OR Account_Name="[email protected]*"
(EventCode=4770 OR EventCode=4771 OR EventCode=4768)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, Failure_Reason, Client_Address, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Workstation_Name, Src_Netw_Addr</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Kerberos Events / Recent Timeline</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ OR Account_Name="[email protected]*"
(EventCode=4770 OR EventCode=4771 OR EventCode=4768)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| timechart count by EventCode</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>NON-LOCKOUT-Related Events / Recent^</title>
<table>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
NOT (EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4771 OR EventCode=4768 OR EventCode=4770 OR EventCode=4776 OR EventCode=4777) NOT EventCode=4767 NOT (EventCode=6272 OR EventCode=6273 OR EventCode=6274 OR EventCode=6275) NOT (EventCode=4627 OR EventCode=4768 OR EventCode=4780)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, TaskCategory, EventCode, ActionBy, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Src_Netw_Addr, Network_Address</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
<form>
<label>AD Lockouts - All Accounts</label>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="time_Recent" searchWhenChanged="true">
<label>Summaries - Recent*</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_BarChart" searchWhenChanged="true">
<label>Summaries - Bar Chart</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_Timeline" searchWhenChanged="true">
<label>Timelines</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_RealTimeWindow" searchWhenChanged="true">
<label>Real-Time Window</label>
<default>
<earliest>rt-60m</earliest>
<latest>rt</latest>
</default>
</input>
<input type="time" token="time_EventsRecent" searchWhenChanged="true">
<label>Recent Events^</label>
<default>
<earliest>[email protected]</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<strong style="font-size:1.1em;">Purpose:</strong> This dashboard summarizes Accounts that had "Locked" events (ID 4740 and 644) recorded by Active Directory.
<strong style="font-size:1.1em;">Tip:</strong> See <a href="https://www.yuenx.com/2019/active-directory-account-lockouts-locating-the-source-bonus-account-modifications" target="_blank">YuenX</a> for guidance on how to locate potential lockout sources, what occurs when locks happen, and more.
<br/>
<strong style="font-size:1.1em;color:#0A0;">Troubleshoot Individual Accounts:</strong> Use this <a href="https://splunk.yuenx.com:8000/en-US/app/search/ad_account_lockout_troubleshooting" target="_blank">Splunk Dashboard</a>.
</html>
</panel>
</row>
<row>
<panel>
<title>Unique Accounts / Recent*</title>
<single>
<title>Accounts with "Locked" Events</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| stats distinct_count(Account)</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<!--<option name="height">143</option>-->
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">240</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-1d</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Top Accounts / Recent*</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| top Account</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>Top Accounts / Bar Chart</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| top Account</query>
<earliest>$time_BarChart.earliest$</earliest>
<latest>$time_BarChart.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Unique Accounts / Timeline</title>
<chart>
<title>Accounts with "Locked" Events</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| timechart distinct_count(Account)</query>
<earliest>$time_Timeline.earliest$</earliest>
<latest>$time_Timeline.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Event ID: 4740 + 644</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">none</option>
</chart>
</panel>
<panel>
<title>"Locked" Events / Timeline</title>
<chart>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| rename EventCode as "Locked"
| timechart count by Locked</query>
<earliest>$time_Timeline.earliest$</earliest>
<latest>$time_Timeline.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Event ID: 4740 + 644</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#000; background:#FFDF7F; padding: 3px 5px;">Notice</span> 
A <strong>"4740 Locked"</strong> event does NOT necessarily indicate SOURCE of lockout.
</html>
</panel>
</row>
<row>
<panel>
<title>Events / Real-Time (30 sec refresh)</title>
<table>
<title>Users and Computers$ - Events: Locked, Unlocked</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644 OR EventCode=4767)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, ComputerName</query>
<earliest>$time_RealTimeWindow.earliest$</earliest>
<latest>$time_RealTimeWindow.latest$</latest>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
<panel>
<title>Events / Real-Time (30 sec delay)</title>
<table>
<title>Users and Computers$ - Events: PW Change, PW Reset, Disabled, Enabled</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4725 OR EventCode=4722 OR EventCode=4723 OR EventCode=4724)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, ComputerName</query>
<earliest>$time_RealTimeWindow.earliest$</earliest>
<latest>$time_RealTimeWindow.latest$</latest>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Events / Recent^ by Name</title>
<viz type="timeline_app.timeline">
<title>Users - Events: Locked (Heatmap)</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| sort by Account
| table _time, Account</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">preview</option>
<option name="timeline_app.timeline.axisTimeFormat">DAYS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">0</option>
</viz>
</panel>
</row>
<row>
<panel>
<title>Events / Recent^</title>
<table>
<title>Users and Computers$ - Events: Locked, Unlocked, PW Change, PW Reset, Disabled, Enabled</title>
<search>
<query>index="pac_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644 OR EventCode=4767 OR EventCode=4725 OR EventCode=4722 OR EventCode=4723 OR EventCode=4724)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, ComputerName</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">25</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

See my Active Directory Account Lockouts and Modifications article for the foundation needed to modify the SPL queries shared in this post.

Related Posts