Failed/Successful Logins

• Use this search
  • source="wineventlog:security" EventCode=4625 OR EventCode=4624
  • 4624s are successful logins, and 4625s are unsuccessful logins.
• Create a pivot table
  • Add the Host field. This is important to distinguish between the hosts
• Select the Bar chart
  • Set the Color field to be dependent upon the EventCode
  • Set the Y axis to be dependent upon the count of events
• Add this to the Overview dashboards created in previous tutorials'
• For increased precision, add another pivot table with the same data, but insert it as a table

Editing config files on log01

• Create a search for host="log01" type="PATH" name="/etc/sudoers.d*" OR name="/etc/ssh*" OR name="/etc/sudoers"
• Create a pivot table
• Create a line graph visualization, and set the color to be changed by the name field, allowing you to pinpoint the lifecycle of each file.

Alteration of ImportantFiles.txt chart

• Do a field extraction on a log with sourcetype="ImportantFilesVandalism"
  • Extract the whole body of the log, which should just be the text which was added
• Create a pivot table for the search sourcetype="ImportantFilesVandalism"
• Create a "Single Value" dashboard, and set the value to NewText
  • Select the Latest option for the value
• Save this to your

Adding Alert Reports to the dashboard

• Add the alert reports for the following alerts to your dashboard
  • /etc/ssh altered
  • ImportantFiles.txt on USR01 was altered