Good morning. I hope you can help? I have an existing dashboard which reports on user lock out orientated event codes from our DC's. index=index_name sourcetype="WinEventLog:Security" EventCode=4740 OR EventCode=4771 OR EventCode=4625 |eval Source=case(EventCode==4771,Client_Address,EventCode==4740,Caller_Computer_Name,EventCode==4625,Source_Network_Address) | eval Account_Name=if(EventCode==4771,Account_Name,mvindex(Account_Name,1)) | eval Account_Domain=case(EventCode==4771,Security_ID,EventCode==4740,Account_Domain,EventCode==4625,mvindex(Account_Domain,1)) | table _time, EventCode, Account_Name, Account_Domain, ComputerName, Source Ultimately, I would like to generate a report whereby if a user is locked out (EventCode=4740) the previous 60 minutes log attempts are recorded showing source machine and also the machine which the user is attempting to connect to. I will then go on to generate a script to put this in to e-mail format so that I can automatically e-mail the user with this report when they are locked out. Can anyone help? To clarify, the EventCode=4740 would be the trigger and then I would need the previous 60 minutes log attempts including source machine and destination machine in a report. Would this be a transaction or span command? Any help would be appreciated. Kind regards, Rob. ... View more

This is confusing me greatly so forgive me if my explanation is not clear but I will try to explain: I have a dashboard in app A, lets call it dashboard AA, accessible by role A. I had a request from an internal department to create a new app, app B which consisted only of dashboard AA and it's relative drill down dashboards. App B access will be controlled by role B. I cloned dashboard AA from app A (and all required drill down dashboards) i.e. made it global and then cloned within app B, cloning permissions also.I then changed the App A sharing permissions back to role A only. Lets call this new dashboard within app B, BB. However, the searches within dashboard BB failed due to KO's with app A only permissions. When running dashboard BB I saw errors such as 'lookup does not exist' and not found' errors relating to field extractions/lookups/tokens. SO, I located each KO and changed the permissions to global rather than restricted to app A. This worked. I could then run dashboard BB without issue. However, users with role B access to App B could also SEE App A from the app selection menu and I was asked to remove this so that role B users could only see App B and no other app. I then changed read permissions on App A to role A and admin. This obviously removed read permissions to App A for role B. Removing read permissions for role B to the app A meant that even though the KO's within App A had global permissions, users with role B access could no longer run the dashboard BB successfully and the previous reported errors appeared. It did however remove it from the app selection menu as expected. My question: Without cloning the required knowledge objects (one fact, one place), how do I grant access for role B users to access KO's owned by app A BUT with global permissions but remove App A availability for role B users? In hindsight, I would have MOVED the dashboard AA in to App B. I hope the above makes sense? Any help or advice anyone can offer at this point would be greatly appreciated. Kind regards, Rob. ... View more

Good morning. I am currently constructing a number of reports showing information relating to our domain controllers. E.g. host=domaincontrollers* EventCode=>4944 OR EventCode<=4945 OR EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=4949 OR EventCode=4950 OR EventCode=4951 OR EventCode=4952 OR EventCode=4953 OR EventCode=4954 OR EventCode=4957 OR EventCode=4958 This report should list MPSSVC Rule-Level Policy Changes for the Windows Firewall on the domain controllers. When there are ranges of event codes available (as above with EventCode 4944-4954) is there a better way to capture all events in a more efficient way? Many thanks in advance for any help you can offer. Kind regards, Rob. ... View more