Locked out account searchform
Account Lockout Search
eventtype="windows_events" sourcetype="WinEventLog:Security" EventCode=4740 OR EventCode=4723 OR EventCode=4724 OR EventCode=4625 OR EventCode=4769 OR EventCode=4767 OR EventCode=4776 user="$user$" | eval Workstation_Name=coalesce(Workstation_Name,Source_Workstation) | table _time, src_ip, user, action, Workstation_Name, src_nt_host, name, Failure_Reason | rename name AS Description | sort user
<!-- the default is a text box, with no seed value; if user does not input
a value, then the $from$ token in searchTemplate will be removed -->
<input type="text" token="user">
<default>*</default>
</input>
<input type="time">
<default>
<earliestTime>-15m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
<panel>
<table>
<event>
<title>Results</title>
<option name="count">50</option>
</event>
</table>
</panel>
<panel>
<chart>
<title>Top Descriptions</title>
<searchPostProcess>| top limit=20 Description</searchPostProcess>
<option name="charting.chart">bar</option>
</chart>
</panel>
<panel>
<chart>
<title>Top Source IP by Time</title>
<searchPostProcess>| timechart count by src_ip limit=10</searchPostProcess>
<option name="charting.chart">bar</option>
</chart>
</panel>
<panel>
<table>
<title>Count over time</title>
<searchPostProcess>| chart sparkline count by user</searchPostProcess>
<format field="sparkline" type="sparkline"></format>
</table>
</panel>
... View more