Dashboards & Visualizations

How to build a dynamic dashboard for ad events?

christianubeda
Path Finder

Hi team!

I need a dashboard that shows when a windows account is blocked. Eventcode = 4740 but at the same time I want it to disappear if after a time it finds the Eventcode = 4767 (When the account has been unlocked)

I only want to show blocked accounts

It is possible to do something like that

This is what I have. Any advice?

index=main (EventCode=4740 AND EventCode!=4767) | stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time 
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

View solution in original post

woodcock
Esteemed Legend

Like this:

index=main (EventCode="4740" OR EventCode="4767")
| eventsats first(EventCode) AS MostRecentEventCode BY user
| where MostRecentEventCode!="4767"
| stats count first(_raw) AS _raw first(_time) AS _time BY user

christianubeda
Path Finder

Thanks for your answer.

I've tried but it's not working.

I have the case in which he shows me a blocking event (4740) but after 20 minutes an unlocking event appears(4767) so he should not be showing me the previous events. But it do.

Any ideas?

index=main (EventCode="4740" OR EventCode="4767")
| eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| where MostRecentEventCode!="4767"
| stats values(host), values(EventCodeDescription), values(Nombre_de_cuenta),values(Nombre_de_equipo_del_autor_de_la_llamada), values(action) by _time
| rename values(host) as "DC Server", values(EventCodeDescription) as Description, values(Nombre_de_cuenta) as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

0 Karma

woodcock
Esteemed Legend

You might try swapping the 2 BY user portions for BY user host. The general concept is sound and will work but may require some adjustment.

0 Karma

christianubeda
Path Finder

I did that and works,

index=main (EventCode=4740 OR EventCode=4767)

| stats values(EventCode) as MostRecentEventCode, values(host) values(Nombre_de_equipo_del_autor_de_la_llamada), values(action), values(_time), values(name) by Nombre_de_cuenta | mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode
| where MostRecentEventCode!="4767" AND MostRecentEventCode!="4740 4767" | rename values(host) as "DC Server", values(name) as Description, Nombre_de_cuenta as "Nombre de la cuenta",values(Nombre_de_equipo_del_autor_de_la_llamada) as "Equipo que ha bloqueado la cuenta de usuario", values(action) as Action, values(_time) as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)
| table "Nombre de la cuenta" "Equipo que ha bloqueado la cuenta de usuario" Description Action Date

| mvcombine delim="" MostRecentEventCode | nomv MostRecentEventCode

It works! Thank you

0 Karma

christianubeda
Path Finder

I have an idea!

With this I have events with 2 EventCode

index=main (EventCode="4740" OR EventCode="4767") | eventstats first(EventCode) AS MostRecentEventCode BY Nombre_de_cuenta
| stats values(_time), values(EventCode) by Nombre_de_cuenta

And if I merge the two eventcodes into a single field and get something like "47404767"

So I can do | where MostRecentEventCode!="4767" or MostRecentEventCode!="47404767"

Can I do it? How?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@christianubeda,

Does this work for you ?

index=main (EventCode=4740 OR EventCode=4767) 
|stats latest(Eventcode ) as Eventcode ... "other required fields here"  by Account_Field_Name
|where Eventcode=4740
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...