SIEM Visualization Example 1: Failed Logon Attempts (All Users)

In this example, we will walk through the process of creating and refining a SIEM visualization for monitoring failed logon attempts across all users. This visualization will be displayed on a dashboard in Kibana, leveraging the Elastic Stack's capabilities for data analysis and presentation.

---

Step 1: Setting Up the Dashboard

1. Access Kibana:

   • Navigate to http://[Target IP]:5601.

   • Open the side navigation toggle and click on "Dashboard".

2. Delete Existing Dashboards:

   • If there is an existing dashboard (e.g., "SOC-Alerts"), delete it to start fresh.

3. Create a New Dashboard:

   • When prompted with the message "No dashboards currently exist," click on "Create new dashboard".

4. Add a Visualization:

   • Click on "Create visualization" to begin building your first visualization.

---

Step 2: Configuring the Visualization

1. Set the Time Range:

   • Click on the calendar icon to open the time picker.

   • Specify the date range as "Last 15 years" and click "Apply".

2. Filter Data:

   • Use the filter option to narrow down the data to only include failed logon attempts.

   • Add a filter for event.code: 4625 (Windows event ID for failed logon attempts).

3. Select the Index Pattern:

   • In the Index pattern field, specify windows* to focus on Windows-related logs.

4. Verify Fields:

   • Use the search bar to confirm the presence of fields like user.name.keyword and host.hostname.keyword.

   • Note: Use .keyword fields for aggregations, as they are optimized for such operations.

5. Choose Visualization Type:

   • From the dropdown menu, select "Table" as the visualization type.

---

Step 3: Building the Table Visualization

1. Configure Rows:

   • Click on "Rows" and configure the following:

     • Field: user.name.keyword

     • Rank by: Alphabetical (or Count of records, if available).

   • Close the Rows window.

2. Add Metrics:

   • Click on "Metrics" and select "Count" as the metric.

   • The table will populate with data showing the count of failed logon attempts per user.

3. Add Host Information:

   • Add another Rows setting to include the machine where the failed logon occurred:

     • Field: host.hostname.keyword

   • The table will now display three columns:

     • Username (user.name.keyword)

     • Machine (host.hostname.keyword)

     • Count of failed logon attempts.

4. Save the Dashboard:

   • Click on the "Save" button to save your progress.

---

Step 4: Refining the Visualization

Based on feedback from the SOC Manager, we will refine the visualization to improve clarity, relevance, and usability.

Refinement 1: Clearer Column Names

• Rename the columns for better readability:

  • user.name.keyword → "Username"

  • host.hostname.keyword → "Machine"

  • Count → "Failed Logon Attempts"

Refinement 2: Include Logon Type

• Add the Logon Type field to the visualization:

  • Field: winlog.logon.type.keyword

  • This provides additional context about the type of logon attempt (e.g., interactive, network, etc.).

Refinement 3: Sort Results

• Sort the table by the count of failed logon attempts in descending order to prioritize users with the most failed attempts.

Refinement 4: Exclude Specific Usernames

• Exclude specific usernames (e.g., DESKTOP-DPOESND, WIN-OK9BH1BCKSD, WIN-RMMGJA7T9TC) by adding filters:

  NOT user.name: (DESKTOP-DPOESND OR WIN-OK9BH1BCKSD OR WIN-RMMGJA7T9TC)

Refinement 5: Exclude Computer Accounts

• Exclude computer accounts (e.g., accounts ending with $) by adding the following KQL query:

  NOT user.name: *$ AND winlog.channel.keyword: Security

  • The AND winlog.channel.keyword: Security ensures that only relevant logs from the Security channel are included.

---

Step 5: Final Visualization

After applying all refinements, the final visualization will include:

1. Columns:

   • Username: Displays the names of users attempting to log in.

   • Machine: Shows the hostname where the logon attempt occurred.

   • Logon Type: Indicates the type of logon attempt.

   • Failed Logon Attempts: Counts the number of failed attempts per user.

2. Filters:

   • Excludes irrelevant usernames and computer accounts.

   • Focuses on logs from the Security channel.

3. Sorting:

   • Sorted by the count of failed logon attempts in descending order.

---

Step 6: Save and Review

1. Save the Visualization:

   • Click on "Save and return" to finalize the changes.

2. Review the Dashboard:

   • Navigate back to the Dashboard page to view the refined visualization.

   • Ensure that the table displays accurate and actionable insights.

---

Key Takeaways

1. Dashboards and Visualizations:

   • Dashboards in SIEM solutions allow you to organize and display data in a meaningful way.

   • Visualizations like tables help summarize and present complex data clearly.

2. Refinements Improve Usability:

   • Clear column names, sorting, and filtering enhance the readability and relevance of the data.

   • Excluding irrelevant data reduces noise and focuses on actionable insights.

3. Best Practices:

   • Use .keyword fields for aggregations.

   • Leverage KQL queries to filter out unwanted data.

   • Regularly review and refine visualizations based on feedback and evolving requirements.

By following these steps, you can create a robust visualization for monitoring failed logon attempts, enabling your SOC team to proactively identify and respond to potential security threats.