I'm working on creating either a report with a table or a dashboard to visualize the status of my Windows Audit Policy. The purpose of the report/dashboard is to measure compliance and detect any GPO/Configuration errors. I'm having trouble trying to identify how I'm going to figure out how to implement this.
My events, after a transaction command, look like the following:
Field: Values:
Security_System_Extension Success and Failure
System_Integrity Success and Failure
Logon Success and Failure
Logoff Failure
DPAPI_Activity No Auditing
...and so on....
One way that I could working well is the following chart where the numbers are the result of a stats dc(host) or something:
Chart
. Success Failure Success and Failure No Auditing
Security_System_Extension 4 0 100 0
System_Integrity 0 0 104 0
Logon 0 0 104 0
Another way involving an eval or replace on a by-field basis could be:
Chart
. Compliant Non-Compliant
Security_System_Extension 100 4
System_Integrity 104 0
Logon 104 0
Currently, the only thing that I can think of is creating a dashboard with lots of panels - one for each field - | stats dc(host) by Security_System_Extension
Security_System_Extension dc(host)
Success 4
Success and Failure 100
Any recommendations on how to get something like depicted in the other examples?
| makeresults count=200
| eval raw=split("Success,Success_and_Failure,Failure,No_Auditing",",")
| eval value=mvindex(raw,random()%3)
| eval alphabet=split("abcdefg","")
| eval Field=mvindex(alphabet,random()%7)
| table Field value
`comment("this is sample data")`
| stats count(eval(value="Success")) as Success,count(eval(value="Success_and_Failure")) as Success_and_Failure
,count(eval(value="Failure")) as Failure,count(eval(value="No_Auditing")) as No_Auditing by Field
Hi, This is sample query, How about this?
| makeresults count=200
| eval raw=split("Success,Success_and_Failure,Failure,No_Auditing",",")
| eval value=mvindex(raw,random()%3)
| eval alphabet=split("abcdefg","")
| eval Field=mvindex(alphabet,random()%7)
| table Field value
`comment("this is sample data")`
| stats count(eval(value="Success")) as Success,count(eval(value="Success_and_Failure")) as Success_and_Failure
,count(eval(value="Failure")) as Failure,count(eval(value="No_Auditing")) as No_Auditing by Field
Hi, This is sample query, How about this?
You search works well, but my problem is I do not have a field named Field in my results. Each of my fields are named differently. I started going down a path of fieldsummary to get a list of fieldnames and assign them to a new field, but I can't seem to figure it out.
Rows 8 and 9 are actually a single line. I'm getting a field named "Field" in my results. The BY clause guarantees Field is there.
P.S.: Nice sample data, to4kawa!!
thanks, @rmmiller You can move in two lines.
@danielransell
My query is a sample, so you can change it to an appropriate field name.
Is the log given as an example different in the first place?
My sample data is supposed to be one big event. My dilemma is having ~60 field names. Your line 8 and 9 works great when each event has a Field value of a, b, c, d, e, f, g. You can then sum by each of those field values. Each event for me has ~60 key value pairs.
It would be great if I could neatly display a single line for each field name (which corresponds to one of Windows Advanced Audit Policy names), and display dc(hosts) by the specific field name.
I may just end up with a dashboard with 60 panels, incorporating your count functions. Alternatively, I may be able to get creative using a fieldsummary command, and using a lookup of the 60 fields I need, then messing with the values column. Just hoping there is a cleaner way.
| makeresults
| eval audit="\"Audit Credential Validation\",\"Audit Kerberos Authentication Service\",\"Audit Kerberos Service Ticket Operations\",\"Audit Other Account Logon Events\",\"Audit Application Group Management\",\"Audit Computer Account Management\",\"Audit Distribution Group Management\",\"Audit Other Account Management Events\",\"Audit Security Group Management\",\"Audit User Account Management\",\"Audit DPAPI Activity\",\"Audit Process Creation\",\"Audit Process Termination\",\"Audit RPC Events\",\"Audit Detailed Directory Service Replication\",\"Audit Directory Service Access\",\"Audit Directory Service Changes\",\"Audit Directory Service Replication\",\"Audit Account Lockout\",\"Audit User/Device Claims\",\"Audit IPsec Extended Mode\",\"Audit IPsec Main Mode\",\"Audit IPsec Quick Mode\",\"Audit Logoff\",\"Audit Logon\",\"Audit Network Policy Server\",\"Audit Other Logon/Logoff Events\",\"Audit Special Logon\",\"Audit Application Generated\",\"Audit Certification Services\",\"Audit Detailed File Share\",\"Audit File Share\",\"Audit File System\",\"Audit Filtering Platform Connection\",\"Audit Filtering Platform Packet Drop\",\"Audit Handle Manipulation\",\"Audit Kernel Object\",\"Audit Other Object Access Events\",\"Audit Registry\",\"Audit Removable Storage\",\"Audit SAM\",\"Audit Central Access Policy Staging\",\"Audit Audit Policy Change\",\"Audit Authentication Policy Change\",\"Audit Authorization Policy Change\",\"Audit Filtering Platform Policy Change\",\"Audit MPSSVC Rule-Level Policy Change\",\"Audit Other Policy Change Events\",\"Audit n Sensitive Privilege Use\",\"Audit Other Privilege Use Events\",\"Audit Sensitive Privilege Use\",\"Audit IPsec Driver\",\"Audit Other System Events\",\"Audit Security State Change\",\"Audit Security System Extension\",\"Audit System Integrity\",\"Audit IPsec Driver\",\"Audit Other System Events\",\"Audit Security State Change\",\"Audit Security System Extension\",\"Audit System Integrity\""
| makemv delim="," audit
| mvexpand audit
| eval raw=split("Success,Success_and_Failure,Failure,No_Auditing",",")
| eval value=mvindex(raw,random()%3)
| table audit value
`comment("this is sample data")`
| stats count(eval(value="Success")) as Success,count(eval(value="Success_and_Failure")) as Success_and_Failure
,count(eval(value="Failure")) as Failure,count(eval(value="No_Auditing")) as No_Auditing by audit
If your query is properly tabulated, it will work
Thanks for all the help in this. Ultimately, my data did not match your example well - so I made a couple more field extractions and it worked. Originally I created 59 field extractions for each audit policy subcategory. Then Account Lockout would have a value of Success and Failure, and so on and so on 58 more times.
In order to get my report in a manner that I like, I added an extraction for the Audit Policy Name (AuditPolicy_SubCategory in the code below), so that would equal Account Lockout, then I added an extraction for the Audit Policy Value (AuditPolicyValue below), so that would equal Success, Success and Failure, Failure or No Auditing. With these extractions in place, my final search looks like this:
index=idx sourcetype=auditpolicy
| dedup host, AuditPolicy_SubCategory
| table AuditPolicy_SubCategory, AuditPolicyValue
| stats count(eval(AuditPolicyValue="Success")) as Success, count(eval(AuditPolicyValue="Success and Failure)) as "Success and Failure", count(eval(AuditPolicyValue="Failure")) as Failure, count(eval(AuditPolicyValue="No Auditing")) as "No Auditing" by AuditPolicy_SubCategory
Thanks for the help to4kawa. Marking yours as the answer and awarded some points.
I think I see what’s going on - really looking forward to giving this a try on Monday.