This page provides instructions for installing the Cloud Security Monitoring & Analytics for Windows App, along with examples of each of the App dashboards. The Cloud Security Monitoring & Analytics for Windows App offers pre-built dashboards and queries to help you track your Windows system, user accounts, login activity, and Windows updates.
Install the Sumo Logic App
Now that you have set up collection, install the Cloud Security Monitoring & Analytics for Windows App to use the pre-configured searches and Dashboards that provide insight into your data.
To install the app:
Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.
From the App Catalog, search for and select the app.
Select the version of the service you're using and click Add to Library.
To install the app, complete the following fields.
App Name. You can retain the existing name, or enter a name of your choice for the app.
Data Source. Select either of these options for the data source.
Choose Source Category, and select a source category from the list.
Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).
Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.
Dashboard Filter with Template Variables
Template variables provide dynamic dashboards that rescope data on the fly. As you apply variables to troubleshoot through your dashboard, you can view dynamic changes to the data for a fast resolution to the root cause. For more information, see the Filter with template variables help page.
Windows - Security Monitoring - Inventory
Dashboard description: Utilize this dashboard to quickly assess system inventory and recent system reboots/restarts in order to understand device activity within your environment.
Use case: System inventory and system boots are leading indicators of potential security threats to be aware of, and that may require further attention.
Windows - Security Monitoring - Critical Events
Dashboard description: When audit logs are tampered, services are stopped, and ingestion delays go above ten seconds, these are all good indicators that there are action items to be taken to resolve issues within your Windows machines.
Use case: Evaluating unexpected critical events within Windows infrastructure allows for teams to stay on top of any necessary remedial steps.
Windows - Security Analytics - Windows Updates
Dashboard description: Rich visualizations indicate the ongoing flow of Windows updates within your organization, so that engineering teams are made aware of red flags or update schedules that require updating.
Use case: Assess overall trend lines via the dashboard, and dive into specific events and event types to understand specific update failures.
Windows - Security Analytics - Windows Firewall
Dashboard description: This dashboard allows you to view Windows Firewall activity including Firewall Service Events, MPSSVC Rule Level Policy Changes, and Filtering Platform Policy Changes.
Use case: Filter by EventID or specific device to analyze traffic patterns within your Windows environments
Windows - Security Analytics - Windows Defender
Dashboard description: The Windows Defender app is designed to offer visibility into Defender Service Events and Defender Threat Events at the Computer and Trend level.
Use case: Understand cross-sections of service events and threat events, filtered down by specific devices to stay ahead of changing attack surfaces.
Windows - Security Analytics - User Group Updates
Dashboard description: User Group Updates are generally a good litmus test for a summarized trend of how successfully Windows groups are being updated and on a correct cadence depending on policy requirements.
Use case: Aligning group update schedules to existing policies within your organization, and informing future policy changes as well based on triangulation against security events tied to update changes.
Windows - Security Analytics - User Authentication
Dashboard description: This dashboard points to snapshots of trends for successful logins as well as unsuccessful logins.
Use case: Unsuccessful logins in particular will indicate potential threats including brute-force attempts.
Windows - Security Analytics - User Account Changes
Dashboard description: The User Account Changes dashboard shows user accounts created, deleted, locked out, as well as password changes for a given account.
Use case: Begin with the summarized visuals in the left columns, and navigate to the right column details to understand specific computers and subjects involved in the given activity.
Windows - Security Analytics - TLS Certificates and Secure Channels
Dashboard description: This dashboard indicates TLS Certificate and Secure Channel activity and associated computers, trends, and latest events.
Use case: By mapping changes in certificates and associated trends, teams can identify areas of improvement for current TLS Certificate deployments.
Windows - Security Analytics - Default Accounts Usage
Dashboard description: This dashboard allows you to filter Default Accounts Usage by EventID, Computer, SubjectUserName, and TargetUserName.
Use case: Honeycomb visuals also point to potential hotspots, or in other words specific computers that may require further attention relative to typical expected behavior within your organization.