topic Re: How to build a dynamic dashboard for ad events? in Dashboards & Visualizations

How to build a dynamic dashboard for ad events?

christianubeda — Fri, 14 Jun 2019 13:05:50 GMT

Hi team!

I need a dashboard that shows when a windows account is blocked. Eventcode = 4740 but at the same time I want it to disappear if after a time it finds the Eventcode = 4767 (When the account has been unlocked)

I only want to show blocked accounts

It is possible to do something like that

This is what I have. Any advice?

index=main (EventCode=4740 AND EventCode!=4767) | stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time 
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

Re: How to build a dynamic dashboard for ad events?

renjith_nair — Fri, 14 Jun 2019 14:14:20 GMT

@christianubeda,

Does this work for you ?

index=main (EventCode=4740 OR EventCode=4767) 
|stats latest(Eventcode ) as Eventcode ... "other required fields here"  by Account_Field_Name
|where Eventcode=4740

Re: How to build a dynamic dashboard for ad events?

woodcock — Sun, 16 Jun 2019 23:02:29 GMT

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

Re: How to build a dynamic dashboard for ad events?

christianubeda — Wed, 30 Sep 2020 00:59:34 GMT

Thanks for your answer.

I've tried but it's not working.

I have the case in which he shows me a blocking event (4740) but after 20 minutes an unlocking event appears(4767) so he should not be showing me the previous events. But it do.

Any ideas?

index=main (EventCode="4740" OR EventCode="4767")
| eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| where MostRecentEventCode!="4767"
| stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

Re: How to build a dynamic dashboard for ad events?

woodcock — Mon, 17 Jun 2019 17:25:32 GMT

You might try swapping the 2 BY user portions for BY user host. The general concept is sound and will work but may require some adjustment.

Re: How to build a dynamic dashboard for ad events?

christianubeda — Wed, 30 Sep 2020 00:57:15 GMT

I have an idea!

With this I have events with 2 EventCode

index=main (EventCode="4740" OR EventCode="4767") | eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| stats values(_time), values(EventCode) by Nombre_de_cuenta

And if I merge the two eventcodes into a single field and get something like "47404767"

So I can do | where MostRecentEventCode!="4767" or MostRecentEventCode!="47404767"

Can I do it? How?

Re: How to build a dynamic dashboard for ad events?

christianubeda — Wed, 30 Sep 2020 00:57:19 GMT

I did that and works,

index=main (EventCode=4740 OR EventCode=4767)

| stats values(EventCode) as MostRecentEventCode, values(host) values(Nombre_de_equipo_del_autor_de_la_llamada), values(action), values(_time), values(name) by Nombre_de_cuenta | mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode
| where MostRecentEventCode!="4767" AND MostRecentEventCode!="4740 4767" | rename values(host) as "DC Server", values(name) as Description, Nombre_de_cuenta as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, values(_time) as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
| table "Nombre de la cuenta" "Equipo que ha bloqueado la cuenta de usuario" Description Action Date

| mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode

It works! Thank you