I am using Splunk (7.3.3) and I am having tremendous difficulties trying to create a dashboard that can show (or 'report') the following information:
I feel like the majority of these would be common things that people want to use to track these type of issues for their applications and was wondering if anybody would be available to share queries they have used in Splunk 7.3.3.
For simpler stuff such as Windows logons (event code) I am having success using the following query:
index=windows EventCode=4624 | stats count BY TargetUserName - I also pipe in some AND NOTs to prune out bad logs that I am not interested in but took them out for sake of query
For Windows Admin Logins.. I am creating a report that runs query index=* source="*WinEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators) and add the report to the dashboard.
Some of those questions have example answers in the Splunk Security Essentials app. Others may be answered by the Splunk Essentials for Infrastructure Troubleshooting and Monitoring app or another app. See apps.splunk.com for these and other apps that may help.
Looking for OCONUS logins is a matter of using the iplocation command to map an IP address to a country and filtering out all the "United States" results, this leaving only OCONUS logins (mostly).
Unsuccessful attempts to bypass login may or may not be reported. This depends on the specific application or device. Likewise for unenforced PKI, MFA, etc. Or, you may need to correlate logs from separate sources, such as AD for login and another source for MFA.