Cyber Defense with MITRE Framework | Graylog + SOC Prime | On-Demand Webinar >> ​

Graylog Illuminate for Authentication

Graylog Illuminate for Authentication eliminates the manual set up necessary to detect, monitor, and analyze authentication issues across your IT infrastructure.

It initially includes the Windows Authentication Spotlight with data normalization, parsing rules, data enrichment, dashboards, and alerts zipped up and ready to deploy inside Graylog Enterprise. Once deployed, Graylog Enterprise customers will save hundreds of hours, be able to leverage our in-house expertise, and gain visibility into authentication trends and potential security issues in your IT environment.


Graylog Illuminate for Windows Authentication comes with four pre-built dashboards that help get you started using Graylog to monitor Windows Authentication in your environment. Three Dashboards include Account Investigation Drill Down, Device Investigation Drill Down, Enterprise Authentication, and Windows Authentication.


This dashboard includes multiple widgets that provide a global view of authentication activities in your organization. As you can see there are widgets for Successful and Failed Logon attempts, authentication by source product, authentication over time for both user and product. On the second tab of the Enterprise Dashboard, there are widgets for Logons by Geolocation and Logon attempts by source, username, and outcome. Currently, the Enterprise Dashboard only includes Windows Authentication activities but we will be expanding this dashboard once OKTA and Linux data is available.


As with the Enterprise dashboard, the Windows Authentication dashboard contains multiple widgets that show several different authentication metrics which include items such as successful and failed login attempts, account lockout events, authentication over time trending, geolocation of logon attempts, and a host of other useful information.

On the Logon Activity Over Time widget, this can be used to spot spikes in failed login attempts. This could point to a possible security issue where an investigation may be required. Additionally, there are also widgets that show disabled accounts and Authentication attempts by source including Kerberos which you can be used to monitor and alert on issues such as Kerberoasting activities. Several pre-built alerts and events are also available which can be used to provide alerts to analysts when specific criteria are met.


Back on the Windows Authentication Dashboard, we can drill down into a specific user by selecting that user and pivoting into the Account Investigation Drill-Down Dashboard. On this dashboard, we can see specific authentication activities for the selected user which include successful and failed login attempts, user logon count over time, geolocation, and account logon source.


The Device Investigation Dashboard provides additional widgets that show an overview of authentication attempts by source and user account. This dashboard includes user authentication metrics, geolocation of source logon attempts, and trending for authentication source and logon activities.


Additionally, Graylog has provided several pre-built alerts for brute force attacks, potential password spraying detection, and several others to help you get started. The product also comes with pipeline rules that process and normalize different log types, such as Winlogbeat and NXLog. The first stage processes the agent logs and enters that data into the Graylog format, the next stage enriches that data, and later stages provide additional processing and tagging.

We hope you enjoy working with Graylog Illuminate for Authentication. Happy Logging!