- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jd0323fhl
Explorer
09-27-2016
10:37 AM
I have a dashboard that runs in a real time window of 7 days and shows locked user accounts for Active Directory, Changes to key Admin Groups, and Audit policy deleted by user. It is not updating and the unlock panel runs slowly.
- What can I do to get the dashboard (or panels) to show when a real-time event comes in? I've tried adding a form refresh (see code below) and a dashboard interval, but no luck.
- Is there a better way to look up the Display name using the Sam Account name than ldapfilter under the "Account has locked" panel?
Note: There is a opening form entry in my XML code on the question, but it is not missing on the Splunk dashboard.
form refresh="30"
<label>Active_Directory_Events</label>
<row>
<panel>
<input type="time" token="time_tok2" searchWhenChanged="true">
<label></label>
<default>
<earliest>rt-7d</earliest>
<latest>rtnow</latest>
</default>
</input>
<table>
<title>An Account has been locked out</title>
<search>
<query>index=main sourcetype="*wineventlog:security" EventCode=4740 | eval Account=mvindex(Account_Name, 1) | ldapfilter domain="domainname.com" search="(sAMAccountNAme=$$Account$$)"
attrs="displayName"| table _time name Account displayName | rename _time AS Time name AS Status Account AS Target_Account displayName as Full_Name | convert timeformat="%m.%d.%Y %H:%M:%S" ctime(Time) | sort -_time</query>
<earliest>$time_tok2.earliest$</earliest>
<latest>$time_tok2.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
<panel>
<input type="time" token="time_token1">
<label></label>
<default>
<earliest>rt-7d</earliest>
<latest>rtnow</latest>
</default>
</input>
<table>
<title>Privileged Groups Changes</title>
<search>
<query>(Group_Name="Domain Admins" OR Group_Name="Enterprise Admins" OR Group_Name="Schema Admins" OR Group_Name="Delegated Setup" OR Group_Name="Discovery Management" OR Group_Name="Exchange All Hosted Organizations" OR Group_Name="Exchange Organization Administrators" OR Group_Name="Exchange Public Folder Administrators" OR Group_Name="Exchange Recipient Administrators" OR Group_Name="Exchange Servers" OR Group_Name="Exchange Trusted Subsystem" OR Group_Name="Exchange View-Only Administrators" OR Group_Name="Exchange Windows Permissions" OR Group_Name="ExchangeLegacyInterop" OR Group_Name="Help Desk (Exchange)" OR Group_Name="Hygiene Management" OR Group_Name="Organization Management" OR Group_Name="Public Folder Management" OR Group_Name="Recipient Management" OR Group_Name="Records Management" OR Group_Name="Server Management" OR Group_Name="UM Management" OR Group_Name="View-Only Organization Management") eventtype=msad-groupmembership-changes NOT src_user="*$$" AND NOT member_id="S-1*" | table _time src_user member_id user_group name | rename _time AS Time src_user as "Administrator" member_id as "Group_Member" user_group as Group name as Action | convert timeformat="%m.%d.%Y %H:%M:%S" ctime(Time) | sort -_time</query>
<earliest>$time_token1.earliest$</earliest>
<latest>$time_token1.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<input type="time" token="time_tok3">
<label></label>
<default>
<earliest>rt-7d</earliest>
<latest>rtnow</latest>
</default>
</input>
<table>
<title>Audit Log Deleted by User</title>
<search>
<query>index=main sourcetype="*wineventlog:security" EventCode=1102 |table _time Account_Name | rename _time as Time Account_Name as User | convert timeformat="%H:%M:%S %d.%m.%Y." | sort -_time</query>
<earliest>$time_tok3.earliest$</earliest>
<latest>$time_tok3.latest$</latest>
</search>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jd0323fhl
Explorer
10-11-2016
06:05 AM
Was able to redo the dashboard. Did not need realtime on each panel. Set panel for 7 days and set each panel to auto-refresh every 20 seconds. For the Ldap filter, converted to a lookup table instead that does a scheduled lookup from Active Directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jd0323fhl
Explorer
10-11-2016
06:05 AM
Was able to redo the dashboard. Did not need realtime on each panel. Set panel for 7 days and set each panel to auto-refresh every 20 seconds. For the Ldap filter, converted to a lookup table instead that does a scheduled lookup from Active Directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaraneta_splunk
Splunk Employee
10-12-2016
01:48 PM
Hi @jd0323fhl - If you were able to answer your own question, please don't forget to resolve this post by clicking on "Accept" below your answer. Thanks! 🙂
