Read: 26 mins.
Print Friendly, PDF & Email

Making Sense of Data

Nearly two years ago, I wrote an article about Active Directory account lockouts with troubleshooting tips for locating their possible causes. It also touched on PowerShell scripts, native Windows commands, Microsoft tools, and Splunk to gather data for the investigations. My favorite by far had been Splunk, a SIEM (Security Information and Event Management) tool that aggregated logs from various sources so SPL (Search Processing Language) queries could be written to extract time-correlated information. I had been making regular iterations to those queries over the years that have helped my IT colleagues stop account lockouts from happening. Nonetheless, trying to make sense of all the data could be mind-boggling and time consuming!

See my Active Directory Account Lockouts and Modifications article to learn how to analyze account events with Windows Event IDs and Logon Types.

Thankfully, there is a beautiful way to visualize all the data that Splunk queries produce: Dashboards. Since their creation, I had also successfully used them for Cybersecurity investigations and detections.

Splunk Dashboards

Dashboards, according to Splunk, are “views that are made up of panels. The panels can contain modules such as search boxes, fields, charts, tables, and lists. Dashboard panels are usually connected to reports.” Below are two Dashboards I recently created to help our IT Operations team gain a better grasp of:

  • Seeing how many accounts are failing authentication over a specific time period
  • Troubleshooting lockouts for a given account
  • Identifying data or behavior patterns
  • Detecting and investigating Cybersecurity events
Splunk Dashboard - AD Lockouts (Single Account Troubleshooting)Splunk Dashboard - AD Lockouts (All Accounts)

Example 1

In the below example, a pattern can be seen for the last 24 hours with a lockout occurring nearly one hour apart. The heatmap supports that view. A scheduled task may be the cause.

Pattern: Lockout appears to occur every hour (Scheduled Task?)

Pattern: Lockout appears to occur every hour (Scheduled Task?)

Example 2

In a high-visibility incident I came across, a service account shared by dozens of applications kept locking out, wreaking havoc across the organization. Nobody in IT knew which of the 50+ IPs reporting large numbers of failures was the culprit until one crucial discovery was made by a coworker: Some systems recorded “invalid username or password” events. Why did I not previously think of specifically capturing those as another data point to investigate from? That prompted me to add the below panels that show (1) Failure/Lockout Events in the top timeline, (2) Failures due to invalid username or password in the bottom timeline, and (3) other supporting data in the right column:

Pattern: Failed Logons/Account Lockouts vs Password Failures

Pattern: Failed Logons/Account Lockouts vs Password Failures

  • Top timeline
    • Vast majority of logon failures and lockout events happened 5-10 minutes after each hour (ie. 9:05am, 9:10am, 9:15am)
    • Failures stopped after about 30-35 minutes because the AD password policy applied to some accounts automatically unlocked after 30 mins
  • Bottom timeline: IPs that had failed password events occurring at the top of every hour (ie. 9:00am, 10:00am, 11:00am)

One could clearly see that six IPs (bottom timeline) consistently had “invalid username or password” failures happening at the beginning of each hour, locked the account, and minutes later, the IPs in the top timeline started recording logon failures or account lockout events. The gap in failures after the 2nd half of each hour was due to the account automatically getting unlocked after 30 minutes. What did those 6 IPs belong to? They were a subset of servers for the same application: Splunk. (How ironic to use Splunk to find the cause to be Splunk!)

You may also want to include Kerberos events in your investigation, such as Event ID 4771 (Pre-Authentication Failure).

Tip: Do not share service accounts across multiple use cases. Doing so just makes troubleshooting — and auditing — so much harder!

There are multiple ways of creating Splunk Dashboards, including an interactive, graphical editor and programmatically with SimpleXML. This article is not about how to create Dashboards as the company already has great documentation and free training available. There are also various tutorials on YouTube (here and here). I do want to share with you my SimpleXML source codes to recreate the two Dashboards referenced above.

Create Dashboard with SimpleXML

Here are the steps on how to create my two AD Lockout Dashboards by copying my SimpleXML source codes into your Splunk environment. The source codes can be found below.

Open the Dashboard Editor

  • Go to the Dashboards tab and click on the Create New Dashboard button
Splunk: Dashboards Tab

Dashboards Tab

  • Provide an ID, such as “ad_account_lockout”, and click on the Create Dashboard button
Splunk: Create Dashboard

Create Dashboard

  • There are two editing methods available on the Dashboard Editor screen: UI and Source
Splunk: Dashboard Editor

Dashboard Editor

    • UI is an interactive, graphical editor with which you can add Panels and Inputs
    • Source is where SimpleXML is used to programmatically create and customize Dashboards
  • Click on the Source button
  • Paste one of my SimpleXML source codes and switch to the UI method
  • You can now modify the Dashboard for your environment
    • Click the magnifying glass of each Panel to enter the Edit Search window
Splunk Dashboard - Panel: Edit Search

Panel: Edit Search

    • Point the SPL query to your specific Splunk index that holds the Active Directory Security event logs (Example: index=”yuenx_win_sec”)
      • Tip: Perform a Search and Replace of the source code to replace with the index to be used

Dashboard SimpleXML Source Codes

Event ID 4767 (Unlock): The Splunk queries provided here currently include events where the queried user is the one who performed an unlock operation. I have not yet added logic to exclude them. This can skew results when looking for events where the queried user itself was unlocked by someone else. In other words, the queries currently include events where either the user was unlocked or the user performed the unlock on another account.

Click on the tabs below to see the respective source code for my AD Lockout Dashboards. Refer to my Active Directory Account Lockouts and Modifications article for the foundation needed to modify the SPL queries shared in this post.

<form>
<label>AD Lockouts - Single Account Troubleshooting</label>
<fieldset submitButton="false" autoRun="false">
<input type="text" token="account_sAM" searchWhenChanged="true">
<label>Account (sAMAccountName)</label>
</input>
<input type="time" token="time_Recent" searchWhenChanged="true">
<label>Recent Events* - Charts</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_TimelineRecent" searchWhenChanged="true">
<label>Recent Timelines</label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_TimelineExpanded" searchWhenChanged="true">
<label>Expanded Timelines</label>
<default>
<earliest>-90d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_MostRecent" searchWhenChanged="true">
<label>Most Recent</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_EventsRecent" searchWhenChanged="true">
<label>Recent Events^ - Tables</label>
<default>
<earliest>-14d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<strong style="font-size:1.1em;">Purpose:</strong> This dashboard is designed to help troubleshoot Active Directory account lockouts.
<strong style="font-size:1.1em;">Tip:</strong> See <a href="https://www.yuenx.com/2019/active-directory-account-lockouts-locating-the-source-bonus-account-modifications" target="_blank">YuenX</a> for guidance on how to locate potential lockout sources, what occurs when locks happen, and more.
<br/>
<strong style="font-size:1.1em;color:#0A0;">Lockout Summary for All Accounts:</strong> Use this <a href="https://splunk.yuenx.com:8000/en-US/app/search/ad_account_lockout" target="_blank">Splunk Dashboard</a>.
</html>
</panel>
</row>
<row>
<panel>
<title>"Locked" Events / Recent*</title>
<single>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| stats count(Account)</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<!--<option name="height">143</option>-->
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">240</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-1d</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>"Locked" Events / Recent Timeline</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| rename EventCode as "Locked"
| timechart count by Locked</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Event ID: 4740 + 644</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Modification Events / Expanded Timeline</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4738 OR EventCode=4723 OR EventCode=4724 OR EventCode=4767 OR EventCode=4725 OR EventCode=4722 OR EventCode=4726)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| rename EventCode as "Failures"
| timechart count by Failures cont=false</query>
<earliest>$time_TimelineExpanded.earliest$</earliest>
<latest>$time_TimelineExpanded.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">top</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<viz type="timeline_app.timeline">
<title>"Locked" Events (Heatmap) - Recent Timeline</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| sort by Account
| table _time, Account</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="height">100</option>
<option name="refresh.display">preview</option>
<option name="timeline_app.timeline.axisTimeFormat">DAYS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">0</option>
</viz>
</panel>
</row>
<row>
<panel>
<title>Failure Events / Recent Timeline</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777 OR EventCode=4767)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| rename EventCode as "Failures"
| timechart count by Failures cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>CALLER_MACHINE / Recent*</title>
<chart>
<title>"Locked" Events</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="N/A" Caller_Machine
| stats count by Caller_Machine
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>CALLER_MACHINE / Recent*</title>
<chart>
<title>Failures (WiFi: ise)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="N/A" Caller_Machine
| stats count by Caller_Machine
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
<panel>
<title>LOGON_TYPE / Recent*</title>
<chart>
<title>Failures</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Logon_Type
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Logged by DC / Recent*</title>
<chart>
<title>"Locked" Events</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=644)
| eval Computer=if(ComputerName!= NULL, ComputerName, ComputerName) | fillnull Value="N/A" Computer
| stats count by Computer
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>Logged by Computer / Recent*</title>
<chart>
<title>Failures (VPN: nps)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Computer=if(ComputerName!= NULL, ComputerName, ComputerName) | fillnull Value="N/A" Computer
| stats count by Computer
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>WORKSTATION / Recent*</title>
<chart>
<title>Failures</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Workstation_Name=if(Workstation_Name=="-", "N/A", Workstation_Name)
| stats count by Workstation_Name
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>SOURCE_NETWORK_ADDRESS / Recent Timeline</title>
<chart>
<title>Failures (Often Non-Windows)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| timechart count by Source_Network_Address usenull=false useother=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>SOURCE_NETWORK_ADDRESS / Recent*</title>
<chart>
<title>Failures (Often Non-Windows)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Source_Network_Address=if(Source_Network_Address=="-", "N/A", Source_Network_Address)
| stats count by Source_Network_Address
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>SOURCE_NETWORK_ADDRESS (Wrong PW) / Recent Timeline</title>
<chart>
<title>Failures due to Wrong PW</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| search Failure_Reason = "Unknown user name or bad password."
| timechart count by Source_Network_Address</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>SOURCE_NETWORK_ADDRESS (Wrong PW) / Recent*</title>
<table>
<title>Failures due to Wrong PW</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| search Failure_Reason = "Unknown user name or bad password."
| stats count by Source_Network_Address
| sort -count
| table count,Source_Network_Address</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#fff; background:#008000; padding: 3px 5px;">Info</span> <span style="font-weight:bold; color:#080;">Logon Processes</span> - How account attempted to authenticate when it <span style="color:#f00">FAILED</span>.
<br/>
<span style="font-weight:bold; color:#800;">CALLER_/PROCESS_NAME</span> - <strong>Lsass</strong>: Initiates Windows authentication | <strong>SvcHost/Services</strong>: Launches Windows service(s).
<br/>
<span style="font-weight:bold; color:#800;">LOGON_PROCESS</span> - <strong>Advapi</strong>: IIS web logon | <strong>IAS</strong>: Remote access (ie. VPN) via NPS/MS' RADIUS | <strong>Kerberos</strong>: Default Windows auth since 2000 | <strong>NtLmSsp</strong>: Windows auth pre-2000 (NTLM) | <strong>Schannel</strong>: Secure auth (ie. IIS TLS/SSL website with auth) | <strong>User32</strong>: Windows User Interface (ie. TS logon prompt).
</html>
</panel>
</row>
<row>
<panel>
<title>CALLER_PROCESS_NAME / Recent*</title>
<chart>
<title>Logon Initiator</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Caller_Process_Name
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>PROCESS_NAME / Recent*</title>
<chart>
<title>Logon Initiator</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Process_Name
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>LOGON_PROCESS / Recent*</title>
<chart>
<title>Auth Processor</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| stats count by Logon_Process
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>AUTHENTICATION_PACKAGE / Recent*</title>
<chart>
<title>Auth Method (MsAuthPkg = NTLM)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777)
| eval Logon_Type=if(Logon_Type!= NULL, Logon_Type, Logon_Type) | fillnull Value="N/A" Logon_Type
| eval Logon_Type=case(Logon_Type==2, "Interactive", Logon_Type==3, "Network", Logon_Type==4, "Batch", Logon_Type==5, "Service", Logon_Type==7, "Unlock", Logon_Type==8, "NetworkClearText", Logon_Type==9, "NewCredentials", Logon_Type==10, "RemoteInteractive", Logon_Type==11, "CachedInteractive", 1=1, Logon_Type)
| rename "Authentication_Package" as "Auth_Package"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| stats count by Auth_Package
| sort by count desc</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#fff; background:#008000; padding: 3px 5px;">Info</span> <span style="font-weight:bold; color:#080;">Workstation Activity</span> - Only SERVERS are shown unless events are also logged from users' computers.
<br/>
<span style="font-weight:bold; color:#800;">
<strong>Session</strong>
</span>: Applies to remote desktop sessions or when a user fast-switched on the same computer.
<br/>
<span style="font-weight:bold; color:#800;">
<strong>Workstation</strong>
</span>: When a computer's console is manually/automatically locked or a user returned and successfully unlocked.
</html>
</panel>
</row>
<row>
<panel>
<title>Session Disconnects / Recent*</title>
<chart>
<title>Disconnects may cause locks</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4779)
| stats count by ComputerName
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
<panel>
<title>Sessions / Recent Timeline</title>
<chart>
<title>Terminal Session / Fast User Switch</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4778 OR EventCode=4779)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| timechart count by EventCode cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">top</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Session Reconnects / Recent*</title>
<chart>
<title>Successful reconnect</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4778)
| stats count by ComputerName
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Workstation Locks / Recent*</title>
<chart>
<title>Automatic or manual lock</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4800)
| stats count by ComputerName
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
<panel>
<title>Workstation Locks or Unlocks / Recent Timeline</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4800 OR EventCode=4801)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| timechart count by EventCode cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">top</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Workstation Unlocks / Recent*</title>
<chart>
<title>Successful unlock</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4801)
| stats count by ComputerName
| sort -count</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Cisco VPN Logins / Recent Timeline</title>
<chart>
<title>Failures (Logon_Process: IAS)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ EventCode=4625 Logon_Process="IAS" (Authentication_Package="MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" OR Authentication_Package="NTLM") ComputerName="nps-*"
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| timechart count by ComputerName cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">small</option>
<option name="trellis.splitBy">Time</option>
</chart>
</panel>
<panel>
<title>Cisco VPN Logins / Recent Timeline</title>
<chart>
<title>Successes (Logon_Process: IAS)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ EventCode=4624 Logon_Process="IAS" (Authentication_Package="MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" OR Authentication_Package="NTLM") ComputerName="nps-*"
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| timechart count by ComputerName cont=false</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">area</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">small</option>
<option name="trellis.splitBy">Time</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#000; background:#FFDF7F; padding: 3px 5px;">Notice</span> A <strong>"4740 Locked"</strong> event does NOT necessarily indicate SOURCE of lockout.
</html>
</panel>
</row>
<row>
<panel>
<title>Events of Interest / Most Recent</title>
<table>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ OR Account_Name="$account_sAM$@*"
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4771 OR EventCode=4770 OR EventCode=4768 OR EventCode=4776 OR EventCode=4777 OR EventCode=4725 OR EventCode=4723 OR EventCode=4724 OR EventCode=4767) OR (EventCode=4624 OR EventCode=4648 OR EventCode=4767 OR EventCode=12294 OR EventCode=4725 OR EventCode=4722 OR EventCode=4724 OR EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, Failure_Reason, Client_Address, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Workstation_Name, Src_Netw_Addr</query>
<earliest>$time_MostRecent.earliest$</earliest>
<latest>$time_MostRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>LOCKOUT-Related Events / Recent</title>
<table>
<title>Without Kerberos Events / Recent^</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
(EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4776 OR EventCode=4777 OR EventCode=4725 OR EventCode=4723 OR EventCode=4724 OR EventCode=4767 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, Failure_Reason, Client_Address, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Workstation_Name, Src_Netw_Addr</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
<table>
<title>Kerberos Events / Recent^</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ OR Account_Name="$account_sAM$@*"
(EventCode=4770 OR EventCode=4771 OR EventCode=4768)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, Failure_Reason, Client_Address, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Workstation_Name, Src_Netw_Addr</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Kerberos Events / Recent Timeline</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ OR Account_Name="$account_sAM$@*"
(EventCode=4770 OR EventCode=4771 OR EventCode=4768)
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| timechart count by EventCode</query>
<earliest>$time_TimelineRecent.earliest$</earliest>
<latest>$time_TimelineRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Kerberos Pre-Auth Failures / Recent*</title>
<chart>
<title>CLIENT_ADDRESS</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$ OR Account_Name="$account_sAM$@*"
EventCode=4771
| timechart count by Client_Address usenull=false useother=false</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel> 
</row>
<row>
<panel>
<title>NON-LOCKOUT-Related Events / Recent^</title>
<table>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
Account_Name=$account_sAM$
NOT (EventCode=4740 OR EventCode=4625 OR EventCode=644 OR EventCode=529 OR EventCode=675 OR EventCode=676 OR EventCode=681 OR EventCode=4771 OR EventCode=4768 OR EventCode=4770 OR EventCode=4776 OR EventCode=4777) NOT EventCode=4767 NOT (EventCode=6272 OR EventCode=6273 OR EventCode=6274 OR EventCode=6275) NOT (EventCode=4627 OR EventCode=4768 OR EventCode=4780)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, TaskCategory, EventCode, ActionBy, Logon_Type, Logon_Process, Auth_Package, Caller_Process_Name, Process_Name, ComputerName, Src_Netw_Addr, Network_Address</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
<form>
<label>AD Lockouts - All Accounts</label>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="time_Recent" searchWhenChanged="true">
<label>Summaries - Recent*</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_BarChart" searchWhenChanged="true">
<label>Summaries - Bar Chart</label>
<default>
<earliest>-8h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_Timeline" searchWhenChanged="true">
<label>Timelines</label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="time_RealTimeWindow" searchWhenChanged="true">
<label>Real-Time Window</label>
<default>
<earliest>rt-60m</earliest>
<latest>rt</latest>
</default>
</input>
<input type="time" token="time_EventsRecent" searchWhenChanged="true">
<label>Recent Events^</label>
<default>
<earliest>-14d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<strong style="font-size:1.1em;">Purpose:</strong> This dashboard summarizes Accounts that had "Locked" events (ID 4740 and 644) recorded by Active Directory.
<strong style="font-size:1.1em;">Tip:</strong> See <a href="https://www.yuenx.com/2019/active-directory-account-lockouts-locating-the-source-bonus-account-modifications" target="_blank">YuenX</a> for guidance on how to locate potential lockout sources, what occurs when locks happen, and more.
<br/>
<strong style="font-size:1.1em;color:#0A0;">Troubleshoot Individual Accounts:</strong> Use this <a href="https://splunk.yuenx.com:8000/en-US/app/search/ad_account_lockout_troubleshooting" target="_blank">Splunk Dashboard</a>.
</html>
</panel>
</row>
<row>
<panel>
<title>Unique Accounts / Recent*</title>
<single>
<title>Accounts with "Locked" Events</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| stats distinct_count(Account)</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<!--<option name="height">143</option>-->
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">240</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-1d</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Top Accounts / Recent*</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| top Account</query>
<earliest>$time_Recent.earliest$</earliest>
<latest>$time_Recent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
<panel>
<title>Top Accounts / Bar Chart</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| top Account</query>
<earliest>$time_BarChart.earliest$</earliest>
<latest>$time_BarChart.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Unique Accounts / Timeline</title>
<chart>
<title>Accounts with "Locked" Events</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| timechart distinct_count(Account)</query>
<earliest>$time_Timeline.earliest$</earliest>
<latest>$time_Timeline.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Event ID: 4740 + 644</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">none</option>
</chart>
</panel>
<panel>
<title>"Locked" Events / Timeline</title>
<chart>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| rename EventCode as "Locked"
| timechart count by Locked</query>
<earliest>$time_Timeline.earliest$</earliest>
<latest>$time_Timeline.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">90</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Event ID: 4740 + 644</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisStart</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<span style="font-size:1.5em; font-weight:bold; color:#000; background:#FFDF7F; padding: 3px 5px;">Notice</span> 
A <strong>"4740 Locked"</strong> event does NOT necessarily indicate SOURCE of lockout.
</html>
</panel>
</row>
<row>
<panel>
<title>Events / Real-Time (30 sec refresh)</title>
<table>
<title>Users and Computers$ - Events: Locked, Unlocked</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644 OR EventCode=4767)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, ComputerName</query>
<earliest>$time_RealTimeWindow.earliest$</earliest>
<latest>$time_RealTimeWindow.latest$</latest>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
<panel>
<title>Events / Real-Time (30 sec delay)</title>
<table>
<title>Users and Computers$ - Events: PW Change, PW Reset, Disabled, Enabled</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4725 OR EventCode=4722 OR EventCode=4723 OR EventCode=4724)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, ComputerName</query>
<earliest>$time_RealTimeWindow.earliest$</earliest>
<latest>$time_RealTimeWindow.latest$</latest>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Events / Recent^ by Name</title>
<viz type="timeline_app.timeline">
<title>Users - Events: Locked (Heatmap)</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644)
| eval Account=mvindex(Account_Name,1)
| sort by Account
| table _time, Account</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">preview</option>
<option name="timeline_app.timeline.axisTimeFormat">DAYS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">0</option>
</viz>
</panel>
</row>
<row>
<panel>
<title>Events / Recent^</title>
<table>
<title>Users and Computers$ - Events: Locked, Unlocked, PW Change, PW Reset, Disabled, Enabled</title>
<search>
<query>index="yuenx_win_sec" source=WinEventLog:Security
(EventCode=4740 OR EventCode=644 OR EventCode=4767 OR EventCode=4725 OR EventCode=4722 OR EventCode=4723 OR EventCode=4724)
| eval Account0=mvindex(Account_Name,0) | eval Account1=mvindex(Account_Name,1)
| eval Account=case(EventCode==4624,Account1, EventCode==4625,Account1, EventCode==4648,Account1, EventCode==4722,Account1, EventCode==4723,Account1, EventCode==4724,Account1, EventCode==4725,Account1, EventCode==4738,Account1, EventCode==4740,Account1, EventCode==4767,Account1, EventCode==4768,Account0, EventCode==4769,Account0, EventCode==4771,Account0, EventCode==4770,Account0, EventCode==5140,Account0, EventCode==4778,Account0, EventCode==4779,Account0, EventCode==4800,Account0, EventCode==4801,Account0) | fillnull Value="-" Account
| eval ActionBy=case(EventCode==4725,Account0, EventCode==4722,src_user, EventCode==4767,src_user, EventCode==4723,src_user, EventCode==4724,src_user, EventCode==4738,src_user)
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S") | sort -_time
| eval Caller_Machine=if(Caller_Machine_Name!= NULL, Caller_Machine_Name, Caller_Computer_Name) | fillnull Value="-" Caller_Machine
| rex field=Process_Name "(?P&lt;Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Process_Name
| rex field=Caller_Process_Name "(?P&lt;Caller_Process_Name&gt;[^\\\]+)$" | fillnull Value="-" Caller_Process_Name
| rename "Authentication_Package" as "Auth_Package", "Source_Network_Address" as "Src_Netw_Addr"
| replace "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" with "MsAuthPkgV1_0" in Auth_Package
| replace "Microsoft Unified Security Protocol Provider" with "MsUnifiedSecProt" in Auth_Package
| eval EventCode=case(EventCode==4740, "4740 Locked", EventCode==4625, "4625 Logon Failed", EventCode==644, "644 Locked", EventCode==529, "529 Logon Failed", EventCode==4768, "4768 Kerb TGT Req", EventCode==4771, "4771 Kerb Pre-Auth Failed", EventCode==4770, "4770 Kerb Svc Tkt Renewed", EventCode==4624, "4624 Logon OK", EventCode==4648, "4648 Logon Attempt Explicit Creds (ie. Task/RunAs)", EventCode==4767, "4767 Unlocked", EventCode==12294, "12294 Potential attack against Administrator", EventCode==4725, "4725 Disabled", EventCode==4722, "4722 Enabled", EventCode==4723, "4723 PW change attempt",EventCode==4724, "4724 PW reset attempt", EventCode==4738, "4738 Object changed", EventCode==4720, "4720 Created", EventCode==4726, "4726 Deleted", EventCode==4778, "4778 Session Reconnect", EventCode==4779, "4779 Session Disconnect", EventCode==4800, "4800 Wks Locked", EventCode==4801, "4801 Wks Unlocked", 1=1, EventCode)
| eval Logon_Type=case(Logon_Type==2, "2 Interactive", Logon_Type==3, "3 Network", Logon_Type==4, "4 Batch", Logon_Type==5, "5 Service", Logon_Type==7, "7 Unlock", Logon_Type==8, "8 NetworkClearText", Logon_Type==9, "9 NewCredentials", Logon_Type==10, "10 RemoteInteractive", Logon_Type==11, "11 CachedInteractive", 1=1, Logon_Type)
| table Time, Account, EventCode, ActionBy, Caller_Machine, ComputerName</query>
<earliest>$time_EventsRecent.earliest$</earliest>
<latest>$time_EventsRecent.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">25</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

See my Active Directory Account Lockouts and Modifications article for the foundation needed to modify the SPL queries shared in this post.

Note About Event ID 4625 (Account failed to log on)

Over the years, I had found that many admins were confused about Event ID 4625 in particular. The confusion could come from not looking at the event’s message details. Thus, some admins may interpret all the hosts having logged 4625 ID as the source for the logon failures. That may NOT necessarily be true.

Event ID 4625 Task Categories

Event ID 4625 Task Categories

Look at the “TaskCategory” or “Failure Reason” messages associated with each Event ID 4625. You may find that the failure was NOT due to a bad password. Instead, account may have failed to log in BECAUSE the account was ALREADY locked.

If the Event ID 4625 message contains “TaskCategory=Logon” or “Failure Reason=Unknown user name or bad password”, those are the hosts that likely contributed to the lockout. A TaskCategory of “Account Lockout” or Failure Reason of “Account locked out” could simply indicate that the logon failure was the result of the account having ALREADY been locked.

Color Formatting

To further help with visualization, you may want to edit each column to color format its values based on Scale, Ranges, or Values:

Column Color Formatting

Column Color Formatting

Cybersecurity Warning: Kerberos + KRBTGT

Active Directory security is EXTREMELY important. One of the articles any domain administrator MUST read is one by Bryan Patton over at Quest. In it, he clearly describes what the special KRBTGT account is, what it is for, how it is used, and why its password should be changed regularly (but not too quickly). It is created with every AD domain.

Cybersecurity Defense:Golden Ticket” is an attack type that gives a bad actor the ability to impersonate any user and talk to any Kerberos service in a domain without the need to authenticate to a domain controller or having a valid user account. The attack exploits the special domain user, KRBTGT, which is responsible for signing Kerberos TGTs using its own password’s NT Hash. Once a forged, signed ticket has been obtained, the Attacker can regain access even after getting kicked off the network.

Remediation would involve resetting the KRBTGT user’s password twice but do so with EXTREME caution! In fact, Bryan Patton’s article suggests doing the 2nd reset a week after the first one to give sufficient time for all DCs to have completed replication. Note: This should also be done after an administrator with access to KRBTGT has left the role or organization.

Related Posts