Dashboards & Visualizations
Highlighted

How to build a dynamic dashboard for ad events?

Path Finder

Hi team!

I need a dashboard that shows when a windows account is blocked. Eventcode = 4740 but at the same time I want it to disappear if after a time it finds the Eventcode = 4767 (When the account has been unlocked)

I only want to show blocked accounts

It is possible to do something like that

This is what I have. Any advice?

index=main (EventCode=4740 AND EventCode!=4767) | stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time 
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
0 Karma
Highlighted

Re: How to build a dynamic dashboard for ad events?

SplunkTrust
SplunkTrust

@christianubeda,

Does this work for you ?

index=main (EventCode=4740 OR EventCode=4767) 
|stats latest(Eventcode ) as Eventcode ... "other required fields here"  by Account_Field_Name
|where Eventcode=4740
0 Karma
Highlighted

Re: How to build a dynamic dashboard for ad events?

Esteemed Legend

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

View solution in original post

Highlighted

Re: How to build a dynamic dashboard for ad events?

Path Finder

Thanks for your answer.

I've tried but it's not working.

I have the case in which he shows me a blocking event (4740) but after 20 minutes an unlocking event appears(4767) so he should not be showing me the previous events. But it do.

Any ideas?

index=main (EventCode="4740" OR EventCode="4767")
| eventstats first(EventCode) AS MostRecentEventCode BY Nombredecuenta
| where MostRecentEventCode!="4767"
| stats values(host), values(EventCodeDescription), values(Nombredecuenta),values(Nombredeequipodelautordelallamada), values(action) by _time
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre
decuenta) as "Nombre de la cuenta",values(Nombredeequipodelautordelallamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

0 Karma
Highlighted

Re: How to build a dynamic dashboard for ad events?

Esteemed Legend

You might try swapping the 2 BY user portions for BY user host. The general concept is sound and will work but may require some adjustment.

0 Karma
Highlighted

Re: How to build a dynamic dashboard for ad events?

Path Finder

I have an idea!

With this I have events with 2 EventCode

index=main (EventCode="4740" OR EventCode="4767") | eventstats first(EventCode) AS MostRecentEventCode BY Nombredecuenta
| stats values(time), values(EventCode) by Nombrede_cuenta

And if I merge the two eventcodes into a single field and get something like "47404767"

So I can do | where MostRecentEventCode!="4767" or MostRecentEventCode!="47404767"

Can I do it? How?

0 Karma
Highlighted

Re: How to build a dynamic dashboard for ad events?

Path Finder

I did that and works,

index=main (EventCode=4740 OR EventCode=4767)

| stats values(EventCode) as MostRecentEventCode, values(host) values(Nombredeequipodelautordelallamada), values(action), values(time), values(name) by Nombredecuenta | mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode
| where MostRecentEventCode!="4767" AND MostRecentEventCode!="4740 4767" | rename values(host) as "DC Server", values(name) as Description, Nombredecuenta as "Nombre de la cuenta",values(Nombredeequipodelautordelallamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, values(time) as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
| table "Nombre de la cuenta" "Equipo que ha bloqueado la cuenta de usuario" Description Action Date

| mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode

It works! Thank you

0 Karma