SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe
July 3, 2024
Create visual
Add filter
event.code is one of 4732 4733
Just press enter each number
group.name is administrators
Double check the user.name.keyword
Change visualization type to table
user.name.keyword - number 1000
Metrics to count
winlog.event_data.MemberSid.keyword - number 1000
group.name.keyword - number 1000
event.action.keyword - number 1000
host.name.keyword - number 1000
Just adding timestamp in the rows
PreviousSIEM Visualization Example 3: Successful RDP Logon Related To Service AccountsNextUnderstanding Log Sources & Investigating with Splunk
Last updated