App Name: winwatch
Version: 1.1
Author: Securonix Anjaneyulu Bollimuntha

Installation and Configuration document:
Support Contact:anjirhl@gmail.com

Description of the App:
The WinWatch App for Splunk provides an Executive and Operational view of key metrics and trends derived using windows security event log.

Prerequisites:

•	Splunk Enterprise / light / cloud server.
•	Log data with source type : WinEventLog:Security

Install the WinWatch App
The WinWatch app has been provided as a “.tar.gz” file. Please follow the standard app import process in Splunk through the “Manage Apps” menu to install the WinWatch App.


>> Click on the “Manage Apps” from Apps drop down and Choose “Install app from file” option.

<< Dashboard Details >>

User Logon Metrics / Trends

The initial three panels provide day-day comparison of below items (last 48hrs).

	No of servers people accessed.
	No of unique accounts used.
	Total logon count.
	Total logon trend.
	Interactive logon trend 
	Non-Interactive logon trend (network,batch ..etc).

Management Activities 

The first four panels in the dashboard provides the below details.
-	Count of accounts created count (Day-Day comparison)
-	Count of accounts Removed count (Day-Day comparison)
-	Count of accounts Modified (Day-Day comparison)
-	Trend over time (Account created / removed) for the selected timeframe.
-	Activity trend of accounts being enabled and disabled.
-	Activity trend of accounts being locked and unlocked.
-	Activity trend of firewall rule changes.
-	Activity trend of domain and audit policy changes.