Overview
I’ve been blessed to be extremely busy the first few months of this new year, both professionally and personally. Between work, home improvement projects, and staying sharp on the blue team side, the weeks have moved fast.
My goal moving forward is simple: establish a weekly blog post documenting my journey through the Hack the Box SOC Analyst Pathway.
This entry focuses on something I’ve been spending significant time on lately: building practical SIEM visualizations in Elastic and learning what details actually matter when trying to detect suspicious behavior.
Objectives
In this post, I summarize the tools and skills I used while completing four SIEM visualization exercises:
- Failed logon attempts across all users
- Failed logons targeting disabled users
- Successful RDP logons involving service accounts
- Additions and removals from the local Administrators group within a defined timeframe
Tools and Platform Used
- Elastic Stack (Kibana dashboards and Lens visualizations)
- Elasticsearch indices (windows* dataset)
- Windows Security Event Logs
- KQL (Kibana Query Language) for filtering and exclusions
- Aggregations using keyword fields (e.g., user.name.keyword)
What I Built
Throughout these exercises, I created four focused SIEM visualizations in Elastic, each designed around a specific detection use case.
1. Failed Logon Attempts (All Users)
Built a table-based visualization using Event ID 4625 to identify failed logons across the environment.
Aggregated by:
- user.name.keyword
- host.hostname.keyword
- logon type
- count of records
Refined the visualization by:
- Renaming columns for clarity
- Sorting results for readability
- Excluding computer accounts
- Tightening scope using KQL filters
2. Failed Logons – Disabled Users
Filtered Event ID 4625 events using SubStatus 0xC0000072 to detect authentication attempts against disabled accounts.
This reinforced an important lesson: failure reason fields can turn generic noise into meaningful signal.
3. Successful RDP Logons – Service Accounts
Used Event ID 4624 with logon type RemoteInteractive and a KQL filter:
user.name: svc-*
This isolated service account usage over RDP — something that should not normally occur in a corporate environment.
Included:
- Service account
- Target machine
- Source IP
- Login count
This exercise emphasized environment-aware detection logic and the importance of naming conventions in monitoring strategy.
4. Local Administrators Group Changes (Time-Bound)
Monitored Event IDs 4732 and 4733 for additions and removals from the local Administrators group within a defined timeframe.
Included:
- Acting user
- Affected account (Member SID)
- Group name
- Action type
- Host
- Event count
This focused on high-impact privilege changes and reinforced proper time scoping when working with Elasticsearch buckets.
Skills I Picked Up
SIEM Skills
- Building dashboards from scratch instead of relying on prebaked views
- Selecting the right visualization type based on the investigation goal
- Creating filters that reflect attacker behavior, not just event IDs
- Adding contextual fields to make results actionable
- Formatting visualizations for SOC handoff readiness
Elastic / KQL Skills
- Proper index selection (windows*)
- Field validation to confirm data availability
- Using .keyword fields for aggregations
- Writing KQL queries to reduce noise and tighten scope:
- Excluding computer accounts (*$)
- Leveraging naming conventions (svc-*)
- Narrowing to Security log channel
Windows Event Log Knowledge
- 4625 – Failed logon
- 4624 – Successful logon
- 4732 / 4733 – Local group membership changes
- SubStatus 0xC0000072 – Disabled user logon failure
- Logon types matter — RemoteInteractive is high signal for RDP
Lessons Learned
The biggest shift for me in these exercises is this:
Making a dashboard isn’t the skill.
Making a dashboard that helps someone investigate quickly is the skill.
