The following search returns user lockouts:
I have a user field which is "abc1234".
The following search returns a target_user field "First Last (userid)"
| eval target_user = givenName." ".sn." (".sAMAccountName.")"
How can I combine these searches to produce a field that would let me display:
First Last (userid) and Account Lockouts in a single table?
Lockout event: - I've taken out the irrelevant data
07/12/2018 11:16:16 AM
SourceName=Microsoft Windows security auditing.
Message=A user account was locked out.
Account That Was Locked Out:
Account Name: abc1234
MSAD Event - I've taken out the irrelevant data
Thanks. So, in the Lockout Event, the Account Name: abc1234, will that match to either the name, cn, or sAMAccountName?
If yes, you can do a join and then a sub query.
See if this will work
index=winevents EventCode=4740 | rename "Account Name" as cn | join cn [search index=msad sourcetype=ActiveDirectory] | table _time givenName sn cn Message
I'm renaming Account Name to cn so the join will work.
Pseudocode for that is as follows:
(your search that gets the lockout events) OR (your search that gets the MSAD events) | fields ... list all (and ONLY) the fields you need from either type of record... | rename COMMENT as "set up a single named key to match the records, and create the target_user data" | eval cn=concatenate(cn,"Account Name") | eval target_user = givenName." ".sn." (".sAMAccountName.")" | rename COMMENT as "roll the target_user data from the MSAD to the lockout records, then drop the MSAD records" | eventstats values(target_user) as target_user by cn | where (the record is a lockout record)