Contact Now

SIEM Visualization Example 1

admin
Updated on 4 March 2026

6 min read

SIEM Visualization Example 1: Failed Logon Attempts (All Users) #

Dashboards in SIEM solutions serve as containers for multiple visualizations, allowing us to organize and display data in a meaningful way.

In this and the following sections, we will create a dashboard and some visualizations from scratch.

Developing Our First Dashboard & Visualization #

Navigate to the bottom of this section and click on Click here to spawn the target system!

Now, navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on “Dashboard”.

Delete the existing “SOC-Alerts” dashboard as follows.

Elastic dashboard interface showing 'SOC-Alerts' with options to delete or create a dashboard.

When visiting the Dashboard page again we will be presented with a message indicating that no dashboards currently exist. Additionally, there will be an option available to create a new Dashboard and its first visualization. To initiate the creation of our first dashboard, we simply have to click on the “Create new dashboard” button.

Elastic interface prompting to create the first dashboard with options to install sample data and create a new dashboard.

Now, to initiate the creation of our first visualization, we simply have to click on the “Create visualization” button.

Elastic interface for editing a new dashboard, prompting to add the first visualization with options to create or add from library.

Upon initiating the creation of our first visualization, the following new window will appear with various options and settings.

Before proceeding with any configuration, it is important for us to first click on the calendar icon to open the time picker. Then, we need to specify the date range as “last 15 years”. Finally, we can click on the “Apply” button to apply the specified date range to the data.

Elastic dashboard creation interface with options to add filter, select index pattern 'windows*', search field names, and choose 'Bar vertical stacked' visualization.

There are four things for us to notice on this window:

  1. A filter option that allows us to filter the data before creating a graph. For example, if our goal is to display failed logon attempts, we can use a filter to only consider event IDs that match 4625 – Failed logon attempt on a Windows system. The following image demonstrates how we can specify such a filter.Elastic dashboard interface with 'Add filter' option open, setting filter for 'event.code' to '4625' using operator 'is'.
  2. This field indicates the data set (index) that we are going to use. It is common for data from various infrastructure sources to be separated into different indices, such as network, Windows, Linux, etc. In this particular example, we will specify windows* in the “Index pattern”.
  3. This search bar provides us with the ability to double-check the existence of a specific field within our data set, serving as another way to ensure that we are looking at the correct data. For example, let’s say we are interested in the user.name.keyword field. We can use the search bar to quickly perform a search and verify if this field is present and discovered within our selected data set. This allows us to confirm that we are accessing the desired field and working with accurate data.Elastic dashboard interface with a filter for 'event.code: 4625' and search for fields starting with 'user.' showing available fields like 'user.name.keyword'.“Why user.name.keyword and not user.name?”, you may ask. We should use the .keyword field when it comes to aggregations. Please refer to this stackoverflow question for a more elaborate answer.
  4. Lastly, this drop-down menu enables us to select the type of visualization we want to create. The default option displayed in the earlier image is “Bar vertical stacked”. If we click on that button, it will reveal additional available options (image redacted as not all options fit on the screen). From this expanded list, we can choose the desired visualization type that best suits our requirements and data presentation needs.Elastic interface showing visualization type options with 'Bar vertical stacked' selected, including other options like 'Metric' and 'Table'.

For this visualization, let’s select the “Table” option. After selecting the “Table”, we can proceed to click on the “Rows” option. This will allow us to choose the specific data elements that we want to include in the table view.

Elastic table configuration interface with options to add or drag-and-drop fields for rows, columns, and metrics.

Let’s configure the “Rows” settings as follows.

Elastic interface for configuring rows, selecting 'user.name.keyword' field, displaying top 1000 values, ranked by count of records in descending order.

Note: You will notice Rank by Alphabetical and not Rank by Count of records like in the screenshot above. This is OK. By the time you perform the next configuration below, Count of records will become available.

Moving forward, let’s close the “Rows” window and proceed to enter the “Metrics” configuration.

Elastic table configuration showing 'windows*' index pattern, with 'Top values of user.name.keyword' in rows, and options to add fields to columns and metrics.

In the “Metrics” window, let’s select “count” as the desired metric.

Elastic metrics configuration interface showing quick functions like Average, Count, and Sum, with 'Count' selected.

As soon as we select “Count” as the metric, we will observe that the table gets populated with data (assuming that there are events present in the selected data set)

Elastic table showing top values of 'user.name.keyword' with counts, and metrics configuration set to 'Count' for records.

One final addition to the table is to include another “Rows” setting to show the machine where the failed logon attempt occurred. To do this, we will select the host.hostname.keyword field, which represents the computer reporting the failed logon attempt. This will allow us to display the hostname or machine name alongside the count of failed logon attempts, as shown in the image.

Elastic table showing top values of 'user.name.keyword' and 'host.hostname.keyword' with record counts, configured in rows.

Now we can see three columns in the table, which contain the following information:

  1. The username of the individuals logging in (Note: It currently displays both users and computers. Ideally, a filter should be implemented to exclude computer devices and only display users).
  2. The machine on which the logon attempt occurred.
  3. The number of times the event has occurred (based on the specified time frame or the entire data set, depending on the settings).

Finally, click on “Save and return”, and you will observe that the new visualization is added to the dashboard, appearing as shown in the following image.

Elastic dashboard showing a table with top values of user names and hostnames, and their record counts.

Let’s not forget to save the dashboard as well. We can do so by simply clicking on the “Save” button.

Elastic interface showing 'Save dashboard' dialog with title 'SOC-Alerts', description for HTB Academy's SOC Analyst Job-Role Path, and option to store time with dashboard.

Refining The Visualization #

Suppose the SOC Manager suggested the following refinements:

  • Clearer column names should be specified in the visualization
  • The Logon Type should be included in the visualization
  • The results in the visualization should be sorted
  • The DESKTOP-DPOESND, WIN-OK9BH1BCKSD, and WIN-RMMGJA7T9TC usernames should not be monitored
  • Computer accounts should not be monitored (not a good practice)

Let’s refine the visualization we created, so that it fulfills the suggestions above.

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on “Dashboard”.

The dashboard we previously created should be visible. Let’s click on the “pencil”/edit icon.

Elastic dashboard interface showing a list with 'SOC-Alerts' and options to create or edit a dashboard.

Let’s now click on the “gear” button at the upper-right corner of our visualization, and then click on “Edit lens”.

Elastic dashboard editing 'SOC-Alerts' with a table of top user and hostnames, and options to edit lens, clone panel, or edit panel title.

“Top values of user.name.keyword” should be changed as follows.

Elastic table configuration with 'Top values of user.name.keyword' and 'host.hostname.keyword' in rows, and 'Count of records' in metrics.
Elastic interface for configuring rows, selecting 'user.name.keyword' field, displaying top 1000 values, ranked alphabetically in ascending order, with display name 'Username'.

“Top values of host.hostname.keyword” should be changed as follows.

Elastic interface for configuring rows, selecting 'host.hostname.keyword' field, displaying top 1000 values, ranked by count of records in descending order, with display name 'Event logged by'.

The “Logon Type” can be added as follows (we will use the winlog.logon.type.keyword field).

Elastic table configuration with 'Top values of user.name.keyword' and 'Event logged by' in rows, and 'Count of records' in metrics, with option to add fields.
Rows configuration panel with 'winlog.logon.type.keyword' field selected, number of values set to 1000, ranked by count of records in descending order, display name 'Logon Type'.

“Count of records” should be changed as follows. Metrics panel with 'Count' function selected, field set to 'Records', display name '# of logins', text alignment 'Right'.

We can introduce result sorting as follows. Elastic dashboard showing a table with columns: Username, Event logged by, Logon Type, and '# of logins' sorted descending.

All we have to do now is click on “Save and return”.

The DESKTOP-DPOESND, WIN-OK9BH1BCKSD, and WIN-RMMGJA7T9TC usernames can be excluded by specifying additional filters as follows.

Elastic dashboard with filter settings: Field 'user.name.keyword', operator 'is not', value 'DESKTOP-DPOESND'.

Computer accounts can be excluded by specifying the following KQL query and clicking on the “Update” button.

  SIEM Visualization Example 1: Failed Logon Attempts (All Users)

NOT user.name: *<strong>$</strong> AND winlog.channel.keyword: Security

The AND winlog.channel.keyword: Security part is to ensure that no unrelated logs are accounted for.

Elastic dashboard with filters: NOT user.name:*$ AND winlog.channel.keyword: Security, showing a table with columns: Username, Event logged by, Logon Type, and '# of logins'.

This is our visualization after all the refinements we performed.

Elastic dashboard with filters: NOT user.name:*$ AND winlog.channel.keyword: Security, displaying a table with columns: Username, Event logged by, Logon Type, and '# of logins'.

Finally, let’s give our visualization a title by clicking on “No Title”.

Elastic dashboard with filters applied, showing a table with columns: Username, Event logged by, Logon Type, and '# of logins'. Customize panel dialog open with 'Show panel title' option.
Table of contents

Share This Article :

Leave a Reply

Your email address will not be published. Required fields are marked *