SIEM Visualization Example 1: Failed Logon Attempts (All Users)

July 3, 2024

Then add filter event.code is 4625

4625 – Failed logon attempt on a Windows system

Select windows*

Type user.name.keyword

Select table

Then add rows in the right side portion of the screen

user.name.keyword

100 number

Click metrics and select count

Then just update or refresh the page

Then just add another row host.hostname.keyword

If you click on save and return it will give new visual

Just click save again

After that you can see the created dashboard

We can edit this now

Then just edit lenss

user.name.keyword to Username

host.hostname.keyword to Event logged by

Then just add one more row

winlog.logon.type.keyword

number - 1000

name - Logon Type

From count of records in metric to # of logins

select descending in # of logins

Then just click save and return

The DESKTOP-DPOESND, WIN-OK9BH1BCKSD, and WIN-RMMGJA7T9TC usernames can be excluded by specifying additional filters as follows.

NOT user.name: *$ AND winlog.channel.keyword: Security