- First of all, make sure you have winlogbeat run with admin permissions, otherwise the Security events won't be collected.
- Create a scripted field called
hour_of_day with the following value:
Set the Type to Number, the format to Duration, Input format to Minutes, Output format to Hours. There is a small hitch here, as it will show the time with decimal points for Hours instead of minutes, I've added an issue to make this more useful. https://github.com/elastic/kibana/issues/26128
3. Create a visualization (i used a bar chart), with the following settings:
event_id:4624 in the search bar or as a filter: this is the event ID for all successful logons in Windows.
- On the Y-Axis set to
Top hit aggregation, on the field
Aggregate on set to
Size set to 1,Sort on
set to @timestamp field,Order` as ascending.
- On the X-Axis, set to a Date Histogram, on the @timestamp field, with a Daily interval.
Optional, you can split the series with a Terms aggregation, on the user.name field to show the top X users (as many as you set in the Size field), or even better, do a Filter aggregation instead of terms and add a filter for each user that you're interested in, something like this:
You can see how this chart would look over here:
You can get ideas for more cool stuff to do with the Winlogbeat data from this blog post: https://www.elastic.co/blog/monitoring-windows-logons-with-winlogbeat