Getting Data In

Error parsing dashboard XML: The URI to be decoded is not a valid encoding. Go to "Edit Source" to fix

New Member

Windows Overview Dashboard error.
Error parsing dashboard XML: The URI to be decoded is not a valid encoding. Go to "Edit Source" to fix

Source:

Windows Overview - v2.4

<panel>
  <html>
    <h1>
      <center>General Information System Statistics Panel</center>
    </h1>
  </html>
  <single>
    <title>Active Users</title>
    <search>
      <query>index=winevents EventCode=4624 OR EventCode=528 |dedup user |stats count(user)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">none</option>
    <option name="numberPrecision">0</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="underLabel">Number of Active Users</option>
    <option name="useColors">0</option>
    <option name="drilldown">none</option>
  </single>
  <single>
    <title>Total AD Users</title>
    <search>
      <query>|inputlookup AD_Users.csv |stats count(DisplayName)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="useColors">1</option>
    <option name="underLabel">Total Users</option>
    <option name="drilldown">none</option>
    <option name="rangeColors">[&quot;0xd93f3c&quot;,&quot;0x555&quot;]</option>
    <option name="rangeValues">[0]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">auto</option>
    <option name="useThousandSeparators">1</option>
    <option name="linkView">search</option>
  </single>
  <single>
    <title>Active Hosts</title>
    <search>
      <query>index=winevents |dedup host |stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">none</option>
    <option name="numberPrecision">0</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="useColors">0</option>
    <option name="underLabel">Number of Active Hosts</option>
    <option name="drilldown">none</option>
  </single>
  <single>
    <title>Total AD Hosts</title>
    <search>
      <query>|inputlookup AD_Hosts.csv |stats count(DisplayName)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="useColors">1</option>
    <option name="underLabel">Total Hosts</option>
    <option name="drilldown">none</option>
    <option name="rangeColors">[&quot;0xd93f3c&quot;,&quot;0x555&quot;]</option>
    <option name="rangeValues">[0]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">auto</option>
    <option name="useThousandSeparators">1</option>
    <option name="linkView">search</option>
  </single>
</panel>


<panel>
  <html>
    <h1>
      <center>User Account Action Panel</center>
    </h1>
  </html>
  <single>
    <title>Newly Created Accounts</title>
    <search>
      <query>index=winevents EventCode=4720 OR EventCode=624 | chart dc(user)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">New Accounts</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=4720 OR EventCode=624 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS &quot;Preformed By&quot;, user AS &quot;Preformed To&quot;</link>
    </drilldown>
    <option name="linkView">search</option>
    <option name="drilldown">all</option>
  </single>
  <single>
    <title>Account Modifications</title>
    <search>
      <query>index=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725 | chart count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">Account Modifications</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=625 OR EventCode=626 OR EventCode=629 OR EventCode=4722 OR EventCode=4725| eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS &quot;Preformed By&quot;, user AS &quot;Preformed To&quot;</link>
    </drilldown>
  </single>
  <single>
    <title>Accounts Deleted</title>
    <search>
      <query>index=winevents EventCode=630 OR EventCode=4726 |chart count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">auto</option>
    <option name="underLabel">Accounts Deleted</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=630 OR EventCode=4726 | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS &quot;Preformed By&quot;, user AS &quot;Preformed To&quot;</link>
    </drilldown>
  </single>
  <single>
    <title>Password Changes</title>
    <search>
      <query>index=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ |chart count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">auto</option>
    <option name="underLabel">Password Changes</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=627 OR EventCode=4723 OR EventCode=628 OR EventCode=4724 Account_Name!=*$ | eval PerByAcct_7=mvindex(Account_Name,0) | eval PerByAcct_XP=Caller_User_Name| eval PerByAcct=coalesce(PerByAcct_7,PerByAcct_XP)| table EventCode, signature, PerByAcct, user, host, _time | rename PerByAcct AS &quot;Preformed By&quot;, user AS &quot;Preformed To&quot;</link>
    </drilldown>
  </single>
  <single>
    <title>Account Lockouts</title>
    <search>
      <query>index=winevents EventCode=644 OR EventCode=4740|chart count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">auto</option>
    <option name="underLabel">Account Lockouts</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=644 OR EventCode=4740 | table EventCode, signature, user, host, _time</link>
    </drilldown>
  </single>
</panel>


<panel>
  <html>
    <h1>
      <center>Computer Account Actions Panel</center>
    </h1>
    <h3>
      <center>(Investigate any actions that appear here)</center>
    </h3>
  </html>
  <single>
    <title>Newly Created Computers</title>
    <search>
      <query>index=winevents EventCode=4741 OR EventCode=645 | stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">New Computers</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=4741 OR EventCode=645 | table EventCode, signature, host, user, _time</link>
    </drilldown>
  </single>
  <single>
    <title>Recently Deleted Computers</title>
    <search>
      <query>index=winevents EventCode=4743 OR EventCode=647 | stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">Deleted Computers</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=4743 OR EventCode=647 | table EventCode, signature, host, user, _time</link>
    </drilldown>
  </single>
  <single>
    <title>Group Policy Errors</title>
    <search>
      <query>index=winevents EventCode=1202 | stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">Group Policy Errors</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=1202 | stats count sparkline AS Trend by host | sort - count</link>
    </drilldown>
  </single>
  <single>
    <title>Shutdowns Computer</title>
    <search>
      <query>index=winevents EventCode=4609 OR EventCode=513 | stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,3,5]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-24h</option>
    <option name="underLabel">Shutdowns</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=4609 OR EventCode=513 | table EventCode, signature, host, user, _time</link>
    </drilldown>
  </single>
</panel>


<panel>
  <single>
    <title>Missing Forwaders</title>
    <search>
      <query>| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),&quot;-2h&quot;) | where lastTime < Checkin | convert ctime(lastTime) as lastTime | stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">Missing Forwaders</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=| metadata type=hosts index=winevents | table host, lastTime | eval Checkin = relative_time(now(),&quot;-2h&quot;) | where lastTime < Checkin | convert ctime(lastTime) as lastTime| table host, lastTime | sort - lastTime</link>
    </drilldown>
    <option name="linkView">search</option>
    <option name="drilldown">all</option>
  </single>
  <single>
    <title>Software Installs</title>
    <search>
      <query>index=winevents SourceName=MsiInstaller EventCode=11707 host=&quot;*&quot; | stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">Software Installs</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <drilldown target="new">
      <link>/app/IA_Overview/SW_Detailed</link>
    </drilldown>
  </single>
  <single>
    <title>Software Uninstalls</title>
    <search>
      <query>index=winevents SourceName=MsiInstaller EventCode=11724 host=&quot;*&quot; | stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">Software Uninstalls</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <option name="linkView">search</option>
    <option name="linkView">search</option>
    <option name="linkFields">result</option>
    <drilldown target="new">
      <link>/app/IA_Overview/SW_Detailed</link>
    </drilldown>
  </single>
  <single>
    <title>AV Updates</title>
    <search>
      <query>index=winevents EventCode=7 EventType=4 latest=now earliest=-30d@d| stats first(1) by host| stats count(host)</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0xd93f3c&quot;,&quot;0x65a637&quot;]</option>
    <option name="rangeValues">[0]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">AV Updates</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <option name="linkView">search</option>
    <option name="linkView">search</option>
    <option name="linkFields">result</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=7 EventType=4 | stats count sparkline AS Trend by host| sort + Date</link>
    </drilldown>
  </single>
</panel>


<panel>
  <html>
    <h1>
      <center>Data Loss Protection Action Panel</center>
    </h1>
    <h3>
      <center>(Investigate any actions that appear here)</center>
    </h3>
  </html>
  <single>
    <title>File Shadow Reads</title>
    <search>
      <query>index=winevents sourcetype=&quot;WinEventLog:System&quot; SourceName=scomc EventCode=26 | transaction _time, host, user | stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-7d</option>
    <option name="underLabel">Shadow Reads</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <option name="linkView">search</option>
    <option name="linkView">search</option>
    <option name="linkFields">result</option>
    <drilldown target="new">
      <link>/app/IA_Overview/DLP_Detailed</link>
    </drilldown>
  </single>
  <single>
    <title>File Shadow Writes</title>
    <search>
      <query>index=winevents sourcetype=&quot;WinEventLog:System&quot; SourceName=scomc EventCode=25 | transaction _time, host, user | stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-24h</option>
    <option name="underLabel">Shadow Writes</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <option name="linkView">search</option>
    <option name="linkView">search</option>
    <option name="linkFields">result</option>
    <drilldown target="new">
      <link>/app/IA_Overview/DLP_Detailed</link>
    </drilldown>
  </single>
  <single>
    <title>File Failed Reads</title>
    <search>
      <query>index=winevents sourcetype=&quot;WinEventLog:System&quot; SourceName=scomc EventCode=18 | transaction _time, host, user | stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-24h</option>
    <option name="underLabel">Failed Reads</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <option name="linkView">search</option>
    <option name="linkView">search</option>
    <option name="linkFields">result</option>
    <drilldown target="new">
      <link>/app/IA_Overview/DLP_Detailed</link>
    </drilldown>
  </single>
  <single>
    <title>File Failed Writes</title>
    <search>
      <query>index=winevents sourcetype=&quot;WinEventLog:System&quot; SourceName=scomc EventCode=19 | transaction _time, host, user| stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-24h</option>
    <option name="underLabel">Failed Writes</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <option name="linkView">search</option>
    <option name="linkView">search</option>
    <option name="linkFields">result</option>
    <drilldown target="new">
      <link>/app/IA_Overview/DLP_Detailed</link>
    </drilldown>
  </single>
  <single>
    <title>Media/Device Actions</title>
    <search>
      <query>index=winevents sourcetype=&quot;WinEventLog:System&quot; SourceName=scomc (EventCode=14 OR EventCode=16) | transaction _time, host, user| stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">block</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">true</option>
    <option name="showTrendIndicator">true</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-24h</option>
    <option name="underLabel">Media/Device Actions</option>
    <option name="useColors">true</option>
    <option name="useThousandSeparators">true</option>
    <option name="linkView">search</option>
    <option name="linkView">search</option>
    <option name="linkFields">result</option>
    <drilldown target="new">
      <link>/app/IA_Overview/DLP_Detailed</link>
    </drilldown>
  </single>
</panel>


<panel>
  <title>Failed Logon Panel</title>
  <single>
    <title>Failed Logons</title>
    <search>
      <query>index=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537  | stats count</query>
    </search>
    <option name="colorBy">trend</option>
    <option name="colorMode">none</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-24h</option>
    <option name="underLabel">Failed Logins</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <option name="linkView">search</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents EventCode=4625 OR EventCode=529 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=535 OR EventCode=537 | stats count sparkline AS Trend by user, signature | sort - count</link>
    </drilldown>
  </single>
  <table>
    <title>Failed Logons for Unknown Accounts</title>
    <search>
      <query>index=winevents sourcetype=&quot;WinEventLog:Security&quot; (EventCode=4625 Sub_Status=0xC0000064) OR (EventCode=529) |eval Date=strftime(_time, &quot;%Y/%m/%d&quot;) |rex &quot;Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<facct>\S.*)&quot; | eval uacct=coalesce(facct,User_Name)| stats count sparkline AS Trend by uacct, host | rename count as &quot;Attempts&quot;, uacct as &quot;Account&quot; | sort - Attempts</query>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <format type="sparkline"
            field="Trend">
      <option name="lineColor">#5379af</option>
      <option name="fillColor">#CCDDFF</option>
      <option name="lineWidth">1</option>
      <option name="height">25px</option>
    </format>
  </table>
</panel>
<panel>
  <title>After Hours Panel</title>
  <single>
    <title>After Hours Logins (Before 6 AM or After 6 PM)</title>
    <search>
      <query>index=winevents EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, &quot;%H&quot;) | where (logon_hour > 18 OR logon_hour < 6) | stats count</query>
    </search>
    <option name="colorBy">trend</option>
    <option name="colorMode">none</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">[&quot;0x65a637&quot;,&quot;0xf7bc38&quot;,&quot;0xf58f39&quot;,&quot;0xd93f3c&quot;]</option>
    <option name="rangeValues">[0,10,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">inverse</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="trendInterval">-24h</option>
    <option name="underLabel">After Hours Logins</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <option name="linkView">search</option>
    <drilldown target="new">
      <link>/app/IA_Overview/search?q=index=winevents sourcetype=&quot;WinEventLog:Security&quot; EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, &quot;%H&quot;) | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as &quot;Attempts&quot;, user as &quot;Account&quot; | sort - Attempts</link>
    </drilldown>
  </single>
  <table>
    <title>After Hours Logins</title>
    <search>
      <query>index=winevents sourcetype=&quot;WinEventLog:Security&quot; EventCode=4624 OR EventCode=528 Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11 | eval logon_hour=strftime(_time, &quot;%H&quot;) | where (logon_hour > 18 OR logon_hour < 6) | stats count sparkline AS Trend by user, host | rename count as &quot;Attempts&quot;, user as &quot;Account&quot; | sort - Attempts</query>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
    <format field="Trend"
            type="sparkline">
      <option name="lineWidth">1</option>
      <option name="lineColor">#5379af</option>
      <option name="fillColor">#CCDDFF</option>
      <option name="height">25px</option>
    </format>
  </table>
</panel>


<panel>
  <table>
    <title>Domain Admin Activity</title>
    <search>
      <query>index=winevents EventCode=4624 [|inputlookup AD_Groups.csv| search group_name=&quot;Domain Admins&quot; |table member_name| rename member_name AS user]|stats count sparkline AS Trend by user | sort - count</query>
      <earliest>-90d@d</earliest>
      <latest>now</latest>
    </search>
    <format field="Trend"
            type="sparkline">
      <option name="lineWidth">1</option>
      <option name="lineColor">#5379af</option>
      <option name="fillColor">#CCDDFF</option>
      <option name="height">25px</option>
    </format>
    <drilldown target="new">
      <link>/app/IA_Overview/Win_Priv_Detail?form.usertok=$click.value2$</link>
    </drilldown>
  </table>
</panel>
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!