Dashboards & Visualizations

How to build a dynamic dashboard for ad events?

christianubeda
Path Finder

Hi team!

I need a dashboard that shows when a windows account is blocked. Eventcode = 4740 but at the same time I want it to disappear if after a time it finds the Eventcode = 4767 (When the account has been unlocked)

I only want to show blocked accounts

It is possible to do something like that

This is what I have. Any advice?

index=main (EventCode=4740 AND EventCode!=4767) | stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time 
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

View solution in original post

woodcock
Esteemed Legend

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

View solution in original post

christianubeda
Path Finder

Thanks for your answer.

I've tried but it's not working.

I have the case in which he shows me a blocking event (4740) but after 20 minutes an unlocking event appears(4767) so he should not be showing me the previous events. But it do.

Any ideas?

index=main (EventCode="4740" OR EventCode="4767")
| eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| where MostRecentEventCode!="4767"
| stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

0 Karma

woodcock
Esteemed Legend

You might try swapping the 2 BY user portions for BY user host. The general concept is sound and will work but may require some adjustment.

0 Karma

christianubeda
Path Finder

I did that and works,

index=main (EventCode=4740 OR EventCode=4767)

| stats values(EventCode) as MostRecentEventCode, values(host) values(Nombre_de_equipo_del_autor_de_la_llamada), values(action), values(_time), values(name) by Nombre_de_cuenta | mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode
| where MostRecentEventCode!="4767" AND MostRecentEventCode!="4740 4767" | rename values(host) as "DC Server", values(name) as Description, Nombre_de_cuenta as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, values(_time) as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
| table "Nombre de la cuenta" "Equipo que ha bloqueado la cuenta de usuario" Description Action Date

| mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode

It works! Thank you

0 Karma

christianubeda
Path Finder

I have an idea!

With this I have events with 2 EventCode

index=main (EventCode="4740" OR EventCode="4767") | eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| stats values(_time), values(EventCode) by Nombre_de_cuenta

And if I merge the two eventcodes into a single field and get something like "47404767"

So I can do | where MostRecentEventCode!="4767" or MostRecentEventCode!="47404767"

Can I do it? How?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@christianubeda,

Does this work for you ?

index=main (EventCode=4740 OR EventCode=4767) 
|stats latest(Eventcode ) as Eventcode ... "other required fields here"  by Account_Field_Name
|where Eventcode=4740
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.