It might be worth taking a look at the Data Sources which can be found on the Hosts page and seeing if it is reading from a source which should have successful authentications.
In a nutshell, you can look at the Elastic DSL query directly by clicking on the magnifying glass of any widget, but if you want to see if you have an successes you can also use timeline through this KQL query:
"event.category": "authentication" and "event.outcome": "success"
We're checking for both of those to see if there is a success. If you have a lot of failures like I see below that's the query:
"event.category": "authentication" and "event.outcome": "failure"
To explore and see what indexes have what data. The dashes in the above screenshot for "Last success" and "Last successful source" seem to show that those fields aren't filled out within your index.
The large number of failures seems to indicate that you have outsiders attacking your network and trying to use the user of either "administrator" or "ADMINISTRATOR" with lots of failures and no successes. Or you have a rouge process/script doing something with lots of failures.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.