Hi team!
I need a dashboard that shows when a windows account is blocked. Eventcode = 4740 but at the same time I want it to disappear if after a time it finds the Eventcode = 4767 (When the account has been unlocked)
I only want to show blocked accounts
It is possible to do something like that
This is what I have. Any advice?
index=main (EventCode=4740 AND EventCode!=4767) | stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
Like this:
index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user
Like this:
index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user
Thanks for your answer.
I've tried but it's not working.
I have the case in which he shows me a blocking event (4740) but after 20 minutes an unlocking event appears(4767) so he should not be showing me the previous events. But it do.
Any ideas?
index=main (EventCode="4740" OR EventCode="4767")
| eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| where MostRecentEventCode!="4767"
| stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
You might try swapping the 2 BY user
portions for BY user host
. The general concept is sound and will work but may require some adjustment.
I did that and works,
index=main (EventCode=4740 OR EventCode=4767)
| stats values(EventCode) as MostRecentEventCode, values(host) values(Nombre_de_equipo_del_autor_de_la_llamada), values(action), values(_time), values(name) by Nombre_de_cuenta | mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode
| where MostRecentEventCode!="4767" AND MostRecentEventCode!="4740 4767" | rename values(host) as "DC Server", values(name) as Description, Nombre_de_cuenta as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, values(_time) as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
| table "Nombre de la cuenta" "Equipo que ha bloqueado la cuenta de usuario" Description Action Date
| mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode
It works! Thank you
I have an idea!
With this I have events with 2 EventCode
index=main (EventCode="4740" OR EventCode="4767") | eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| stats values(_time), values(EventCode) by Nombre_de_cuenta
And if I merge the two eventcodes into a single field and get something like "47404767"
So I can do | where MostRecentEventCode!="4767" or MostRecentEventCode!="47404767"
Can I do it? How?
@christianubeda,
Does this work for you ?
index=main (EventCode=4740 OR EventCode=4767)
|stats latest(Eventcode ) as Eventcode ... "other required fields here" by Account_Field_Name
|where Eventcode=4740