HYPR Dashboard for Splunk

Troubleshooting

This document will walk through the various widgets available in the HYPR Dashboard for Splunk. Please note, this dashboard is in a beta phase. Please provide any feedback or enhancement requests to your HYPR Account Manager and these will be worked into our next release.

πŸ“˜

Required

Enabling the HYPR Dashboard for Splunk assumes you are already populating HYPR Event data into a Splunk instance via the API.

Deploying the Dashboard

πŸ“˜

A Minor Modification

Prior to deploying the Splunk dashboard XML in your company’s Splunk instance, you must modify the searches in each widget to replace the index and sourcetype fields to the values where HYPR data resides within your Splunk environment. Failing to make these changes in each search will cause the Dashboard not to render.

To deploy the dashboard XML in Splunk:

  1. In Splunk, go to the Search and Reporting app and select the Dashboards tab.
  2. Click Create New Dashboard in the upper right.
  3. Type the Dashboard Title and, if desired, the Description; set Permissions and select Classic Dashboards. When finished to your satisfaction, click Create.
618
  1. In the resulting editor screen click Source in the upper left to expose the XML editor.
  2. Update the XML below so that the index and sourcetype fields reference your HYPR data.
  3. Copy and paste the updated XML into the editor.
  4. Click Save.

The HYPR Dashboard is now available under Apps > Search and Reporting > Dashboards.

Filters

  • TIME: Global Time Picker with default Splunk presets and relative selections. Defaults to All Time. For more information on available options for TIME, see Splunk's documentation on the Global Time Picker.
  • machineUserName: Global filter that can be used to filter all widgets on the dashboard for the given user(s); this choice is a multiple-select drop-down list that defaults to showing all values
559

Registration Metrics

  • The top-level metrics for registrations are defined as follows:
    • Total Registration Attempts: The total number of website, workstation, security key, and FIDO2 registration attempts
    • Successful Registration Count: The total number of successful website, workstation, security key, and FIDO2 registration Events
    • Successful Registration %: The number of successful registration Events divided by the number of total registration attempts
    • Successful Registered User %: The number of successfully registered users divided by the total number of users who attempted to register
  • Registration Status Over Time: Time series bar chart showing the hourly count of failed and successful registrations as well as the registration success/failure percentage
  • Workstation Registration Count Per Status: Pie chart showing the breakdown of unique successful and failed workstation registration Events
  • Website Registration Count Per Status: Pie chart showing the breakdown of unique successful and failed website registration Events
  • Successful User Registration Stats: Table showing registration details for those users that have successfully registered with HYPR
    • machineUserName: Unique identifier for the registered user/integration
    • rpAppId: unique ID for the type of HYPR integration
    • status: Success or Failure representing the registration status
    • regCount: The number of registration attempts (this could be repeated attempts to register the same device, or registration of multiple devices)
    • deviceCount: The number of devices the user has successfully registered
  • Failed User Registration Stats: Table showing registration details for users that have failed to register with HYPR; It is important to know that this table shows users that were not eventually successfully registered
    • machineUserName: Unique identifier for the registered user/integration
    • rpAppId: Unique ID for the type of HYPR integration
    • status: Success or Failure representing the registration status
    • regCount: The number of registration attempts (this could be repeated attempts to register the same device, or registration of multiple devices)
    • deviceCount: The number of devices the user has attempted to register
    • lastErrorCode: The last error code that was seen in the logs for the user/rpAppId
    • lastErrorMessage: The last error message that was seen in the logs for the user/rpAppId

Authentication Metrics

  • Top-level metrics for authentications are defined as follows:
    • Total Authentication Attempts: The total number of website, workstation, security key, FIDO2, and offline PIN authentication attempts
    • Successful Authentication Count: The total number of successful website, workstation, security key, FIDO2, and offline PIN registration Events
    • Successful Authentication %: The number of successful authentication Events divided by the number of total authentication attempts
    • Successful Authentication User %: The number of successfully authenticated users divided by the total number of users who attempted to authenticate
  • Authentication Status Over Time: Time series bar chart showing the hourly count of failed and successful authentications as well as the authentication success/failure percentage
  • Workstation Authentication Count Per Status: Pie chart showing the breakdown of unique successful and failed workstation authentication Events
  • Website Authentication Count Per Status: Pie chart showing the breakdown of unique successful and failed website authentication Events
  • Successful User Authentication Stats: Table showing authentication details for users that have successfully authenticated with HYPR
    • machineUserName: Unique identifier for the active user/integration
    • rpAppId: Unique ID for the type of HYPR integration
    • status: Success or Failure representing the authentication status
    • authCount: The number of authentication attempts (this could be repeated attempts to authenticate on the same device, or authentication via multiple devices)
    • deviceCount: The number of devices the user has used to successfully login
  • Failed User Authentication Stats: Table showing authentication details for those users that have failed to login with HYPR. Note: This table shows users that were not eventually successfully authenticated
    • machineUserName: Unique identifier for the active user/integration
    • rpAppId: unique ID for the type of HYPR integration
    • status: Success or Failure representing the authentication status
    • authCount: The number of authentication attempts (this could be repeated attempts to authentication using the same device, or authentication via multiple devices)
    • deviceCount: The number of devices with which the user has attempted to authenticate
    • lastErrorCode: The last error code seen in the logs for the user/rpAppId
    • lastErrorMessage: The last error message seen in the logs for the user/rpAppId

Audit Trail Events

πŸ“˜

Event Descriptions

A full list of all Events and common parameters can be found in the Event Descriptions article. Not every Event is listed in the HYPR Dashboard for Splunk; some only appear in API responses or logs.

  • Audit Trail Events: This table shows all Control Center Event log details
    • eventTimeInUTC: UTC timestamp of when the Event occurred
    • machineUserName: Unique identifier for the user/integration
    • eventName: Identifies the Event that took place (see the Audit Trail article)
    • subName: Identifies the step occurring during the Event flow
    • isSuccessful: Indicates whether the Event was successful or not
    • traceId: Unique identifier that can be used to tie multiple Events occurring during the same session together
    • sessionId: Top-level unique identifier that can be used to count distinct Events across the HYPR deployment
    • eventLoggedBy: Represents the entity that logged the specific step within the Event flow

HYPR Dashboard for Splunk XML

<form theme="dark">
  <label>HYPR Dashboard</label>
  <description>High Level Metrics to Track Health of HYPR Deployment</description>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time">
      <label>TIME</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="userFilter" searchWhenChanged="true">
      <label>machineUserName</label>
      <fieldForLabel>machineUserName</fieldForLabel>
      <fieldForValue>machineUserName</fieldForValue>
      <search>
        <query>index=* sourcetype=log4j | stats count(*) by machineUserName | table machineUserName</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="*">ALL</choice>
      <valuePrefix>machineUserName="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Total Registration Attempts</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_REG","OOB_WORKSTATION_REG","OOB_DEVICE_REG","SMARTKEY_ENROLL","FIDO2_DEVICE_REG") | stats dc(sessionId) as totalRegCount</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[200,500,1000,5000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Successful Registration Count</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_DEVICE_REG_COMPLETE","SMARTKEY_ENROLL_COMPLETE","FIDO2_DEVICE_REG_COMPLETE") isSuccessful="true" | stats dc(sessionId) as successRegCount</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[200,500,1000,5000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Successful Registration %</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_REG","OOB_WORKSTATION_REG","OOB_DEVICE_REG","SMARTKEY_ENROLL","FIDO2_DEVICE_REG") | stats dc(sessionId) as totalRegCount | appendcols [search index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_DEVICE_REG_COMPLETE","SMARTKEY_ENROLL_COMPLETE","FIDO2_DEVICE_REG_COMPLETE") isSuccessful="true" | stats dc(sessionId) as successRegCount] | eval successRegPercentage = round((successRegCount/totalRegCount)*100,1) | table successRegPercentage</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0xd94e17","0xcba700","0x118832"]</option>
        <option name="rangeValues">[70,90]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Successful Registered User %</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_REG","OOB_WORKSTATION_REG","OOB_DEVICE_REG","SMARTKEY_ENROLL","FIDO2_DEVICE_REG") | stats dc(machineUserName) as totalRegUsers | appendcols [search index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_DEVICE_REG_COMPLETE","SMARTKEY_ENROLL_COMPLETE","FIDO2_DEVICE_REG_COMPLETE") isSuccessful="true" | stats dc(machineUserName) as successRegUsers] | eval successRegUsersPercentage = round((successRegUsers/totalRegUsers)*100,1) | table successRegUsersPercentage</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0xd94e17","0xcba700","0x118832"]</option>
        <option name="rangeValues">[70,90]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Registration Status Over Time</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_REG","OOB_WORKSTATION_REG","OOB_DEVICE_REG","SMARTKEY_ENROLL","FIDO2_DEVICE_REG") | table _time, sessionId, isSuccessful, eventName | join type=left sessionId [|search eventName IN ("OOB_DEVICE_REG_COMPLETE","SMARTKEY_ENROLL_COMPLETE","FIDO2_DEVICE_REG_COMPLETE") | table _time, sessionId, isSuccessful, eventName] | eval status=if(eventName IN ("OOB_DEVICE_REG_COMPLETE","SMARTKEY_ENROLL_COMPLETE","FIDO2_DEVICE_REG_COMPLETE") AND isSuccessful=="true","Success","Failure") | timechart span=1h dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Workstation Registration Count Per Status</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName="OOB_WORKSTATION_REG" | table sessionId, isSuccessful, eventName | join type=left sessionId [|search $userFilter$ eventName="OOB_DEVICE_REG_COMPLETE" | table sessionId, isSuccessful, eventName] | eval status=if(eventName=="OOB_DEVICE_REG_COMPLETE" AND isSuccessful=="true","Success","Failure") | stats dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Website Registration Count Per Status</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName="OOB_WEBSITE_REG" | table sessionId, isSuccessful, eventName | join type=left sessionId [|search $userFilter$ eventName="OOB_DEVICE_REG_COMPLETE" | table sessionId, isSuccessful, eventName] | eval status=if(eventName=="OOB_DEVICE_REG_COMPLETE" AND isSuccessful=="true","Success","Failure") | stats dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>SmartKey Registration Count Per Status</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName="SMARTKEY_ENROLL" | table sessionId, isSuccessful, eventName | join type=left sessionId [|search $userFilter$ eventName="SMARTKEY_ENROLL_COMPLETE" | table sessionId, isSuccessful, eventName] | eval status=if(eventName=="SMARTKEY_ENROLL_COMPLETE" AND isSuccessful=="true","Success","Failure") | stats dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Successful User Registration Stats</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_DEVICE_REG_COMPLETE","SMARTKEY_ENROLL_COMPLETE","FIDO2_DEVICE_REG_COMPLETE") isSuccessful="true" | eval status=if(isSuccessful=="true","Success","Failure") | stats dc(sessionId) as regCount, dc(deviceId) as deviceCount by machineUserName, rpAppId, status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Failed User Registration Stats</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_REG","OOB_WORKSTATION_REG","OOB_DEVICE_REG","SMARTKEY_ENROLL","FIDO2_DEVICE_REG") isSuccessful="false" | eval status=if(isSuccessful=="true","Success","Failure") | stats dc(sessionId) as regCount, dc(deviceId) as deviceCount, latest(errorCode) as lastErrorCode, latest(message) as lastErrorMessage by machineUserName, rpAppId, status | join type=left machineUserName [|search $userFilter$ eventName IN ("OOB_DEVICE_REG_COMPLETE","SMARTKEY_ENROLL_COMPLETE","FIDO2_DEVICE_REG_COMPLETE") isSuccessful="true" | eval status=if(isSuccessful=="true","Success","Failure") | stats dc(sessionId) as regCount, dc(deviceId) as deviceCount by machineUserName, rpAppId, status] | where status="Failure"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <title>Total Authentication Attempts</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH","WORKSTATION_AUTH","SMARTKEY_AUTH","FIDO2_WEBAUTHN*","OFFLINE_TOKEN_AUTH") | stats dc(sessionId) as totalAuthCount</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[200,500,1000,5000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Successful Authentication Attempts</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH_COMPLETE","WORKSTATION_AUTH_COMPLETE","SMARTKEY_AUTH_COMPLETE","FIDO2_WEBAUTHN_COMPLETE","OFFLINE_TOKEN_AUTH") isSuccessful="true" | stats dc(sessionId) as successAuthCount</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[200,500,1000,5000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Successful Authentication %</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH","WORKSTATION_AUTH","SMARTKEY_AUTH","FIDO2_WEBAUTHN*","OFFLINE_TOKEN_AUTH") | stats dc(sessionId) as totalAuthCount | appendcols [search index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH_COMPLETE","WORKSTATION_AUTH_COMPLETE","SMARTKEY_AUTH_COMPLETE","FIDO2_WEBAUTHN_COMPLETE","OFFLINE_TOKEN_AUTH") isSuccessful="true" | stats dc(sessionId) as successAuthCount] | eval successAuthPercentage = round((successAuthCount/totalAuthCount)*100,1) | table successAuthPercentage</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0xd94e17","0xcba700","0x118832"]</option>
        <option name="rangeValues">[70,90]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Successful Authenticated User %</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH","WORKSTATION_AUTH","SMARTKEY_AUTH","FIDO2_WEBAUTHN*","OFFLINE_TOKEN_AUTH") | stats dc(machineUserName) as totalAuthUsers | appendcols [search index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH_COMPLETE","WORKSTATION_AUTH_COMPLETE","SMARTKEY_AUTH_COMPLETE","FIDO2_WEBAUTHN_COMPLETE","OFFLINE_TOKEN_AUTH") isSuccessful="true" | stats dc(machineUserName) as successAuthUsers] | eval successAuthUserPercentage = round((successAuthUsers/totalAuthUsers)*100,1) | table successAuthUserPercentage</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="height">246</option>
        <option name="rangeColors">["0xd94e17","0xcba700","0x118832"]</option>
        <option name="rangeValues">[70,90]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Count</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Authentication Status Over Time</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH","WORKSTATION_AUTH","SMARTKEY_AUTH","FIDO2_WEBAUTHN*","OFFLINE_TOKEN_AUTH") | table _time, sessionId, isSuccessful, eventName | join type=left sessionId [|search eventName IN  ("OOB_WEBSITE_AUTH_COMPLETE","WORKSTATION_AUTH_COMPLETE","SMARTKEY_AUTH_COMPLETE","FIDO2_WEBAUTHN_COMPLETE","OFFLINE_TOKEN_AUTH") | table _time, sessionId, isSuccessful, eventName] | eval status=if(eventName IN  ("OOB_WEBSITE_AUTH_COMPLETE","WORKSTATION_AUTH_COMPLETE","SMARTKEY_AUTH_COMPLETE","FIDO2_WEBAUTHN_COMPLETE","OFFLINE_TOKEN_AUTH") AND isSuccessful=="true","Success","Failure") | timechart span=1h dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Workstation Authentication Count Per Status</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName="WORKSTATION_AUTH" | table sessionId, isSuccessful, eventName | join type=left sessionId [|search $userFilter$ eventName="WORKSTATION_AUTH_COMPLETE" | table sessionId, isSuccessful, eventName] | eval status=if(eventName=="WORKSTATION_AUTH_COMPLETE" AND isSuccessful=="true","Success","Failure") | stats dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Website Authentication Count Per Status</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName="OOB_WEBSITE_AUTH" | table sessionId, isSuccessful, eventName | join type=left sessionId [|search $userFilter$ eventName="OOB_WEBSITE_AUTH_COMPLETE" | table sessionId, isSuccessful, eventName] | eval status=if(eventName=="OOB_WEBSITE_AUTH_COMPLETE" AND isSuccessful=="true","Success","Failure") | stats dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>SmartKey Authentication Count Per Status</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName="SMARTKEY_AUTH" | table sessionId, isSuccessful, eventName | join type=left sessionId [|search $userFilter$ eventName="SMARTKEY_AUTH_COMPLETE" | table sessionId, isSuccessful, eventName] | eval status=if(eventName=="SMARTKEY_AUTH_COMPLETE" AND isSuccessful=="true","Success","Failure") | stats dc(sessionId) as eventCount by status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Successful User Authentication Stats</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH_COMPLETE","WORKSTATION_AUTH_COMPLETE","SMARTKEY_AUTH_COMPLETE","FIDO2_WEBAUTHN_COMPLETE","OFFLINE_TOKEN_AUTH") isSuccessful="true" | eval status=if(isSuccessful=="true","Success","Failure") | stats dc(sessionId) as authCount, dc(deviceId) as deviceCount by machineUserName, rpAppId, status</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Failed User Authentication Stats</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName IN ("OOB_WEBSITE_AUTH","WORKSTATION_AUTH","SMARTKEY_AUTH","FIDO2_WEBAUTHN*","OFFLINE_TOKEN_AUTH") isSuccessful="false" | eval status=if(isSuccessful=="true","Success","Failure") | stats dc(sessionId) as authCount, dc(deviceId) as deviceCount, latest(errorCode) as lastErrorCode, latest(message) as lastErrorMessage by machineUserName, rpAppId, status | join type=left machineUserName [|search eventName IN ("OOB_WEBSITE_AUTH_COMPLETE","WORKSTATION_AUTH_COMPLETE","SMARTKEY_AUTH_COMPLETE","FIDO2_WEBAUTHN_COMPLETE","OFFLINE_TOKEN_AUTH") isSuccessful="true" | eval status=if(isSuccessful=="true","Success","Failure") | stats dc(sessionId) as authCount, dc(deviceId) as deviceCount by machineUserName, rpAppId, status] | where status="Failure"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Audit Trail Events</title>
        <search>
          <query>index=* sourcetype=log4j $userFilter$ eventName | table eventTimeInUTC, machineUserName, eventName, subName, isSuccessful, traceId, sessionId, eventLoggedBy</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>