You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 lines
1.6 KiB
50 lines
1.6 KiB
App Name: winwatch
|
|
Version: 1.1
|
|
Author: Securonix Anjaneyulu Bollimuntha
|
|
|
|
Installation and Configuration document:
|
|
Support Contact:anjirhl@gmail.com
|
|
|
|
Description of the App:
|
|
The WinWatch App for Splunk provides an Executive and Operational view of key metrics and trends derived using windows security event log.
|
|
|
|
Prerequisites:
|
|
|
|
• Splunk Enterprise / light / cloud server.
|
|
• Log data with source type : WinEventLog:Security
|
|
|
|
Install the WinWatch App
|
|
The WinWatch app has been provided as a “.tar.gz” file. Please follow the standard app import process in Splunk through the “Manage Apps” menu to install the WinWatch App.
|
|
|
|
|
|
>> Click on the “Manage Apps” from Apps drop down and Choose “Install app from file” option.
|
|
|
|
<< Dashboard Details >>
|
|
|
|
User Logon Metrics / Trends
|
|
|
|
The initial three panels provide day-day comparison of below items (last 48hrs).
|
|
|
|
No of servers people accessed.
|
|
No of unique accounts used.
|
|
Total logon count.
|
|
Total logon trend.
|
|
Interactive logon trend
|
|
Non-Interactive logon trend (network,batch ..etc).
|
|
|
|
Management Activities
|
|
|
|
The first four panels in the dashboard provides the below details.
|
|
- Count of accounts created count (Day-Day comparison)
|
|
- Count of accounts Removed count (Day-Day comparison)
|
|
- Count of accounts Modified (Day-Day comparison)
|
|
- Trend over time (Account created / removed) for the selected timeframe.
|
|
- Activity trend of accounts being enabled and disabled.
|
|
- Activity trend of accounts being locked and unlocked.
|
|
- Activity trend of firewall rule changes.
|
|
- Activity trend of domain and audit policy changes.
|
|
|
|
|
|
|
|
|