Splunk is a great tool for visualising alerts and events, I’ve been creating a dashboard to aggregate all the failed logon attempts from management interfaces of our network switches, firewalls, storage etc. so that if someone tries to brute force password attempt the interfaces we have some visibility.
Obviously the queries you need to use will be different in your environment, but here is a simple example Dashboard XML configuration that you can use to create a 3 box/panel dashboard (on one row). If you want to add more rows, its as easy as adding another <row></row> and adding the relevant panels in between!
<dashboard version="1.1" theme="light" script="custom_layout_width.js">
<label>Title of Dashboard</label>
<row>
<panel id="onefailedlogonattempts">
<title>DEVICENAME - Failed Logon Attempts (last 24 Hours)</title>
<single>
<search>
<query>index="myindex" "user authentication failed" | stats count as Total</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel id="onefailedlogonattempts">
<title>DEVICENAME - Failed Logon Attempts (last 24 Hours)</title>
<single>
<search>
<query>index="myindex" "user authentication failed" | stats count as Total</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel id="onefailedlogonattempts">
<title>DEVICENAME - Failed Logon Attempts (last 24 Hours)</title>
<single>
<search>
<query>index="myindex" "user authentication failed" | stats count as Total</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
</single>
</panel>
</row>
</dashboard>Its quite a simple example, but it gives you something to build from, you can add additional panels and update the queries to fit your needs.
