Trying to build a data table with split rows from multiple windows event ID's.
Event ID 4648 - Network Logon with exp credentials
Grabbing the following-
Computer_Name TargetUsername SubjectUsername TargetServer
works great. But I want to have a table with several different event ID's that may or may not have that field
Event ID 4624 - NTLM Authentication
Computer_Name TargetUsername SubjectUsername ... but not TargetServer
so you can't see both event ID's on the same data table.
Is there a way to still show the data table even if the event ID's don't have the same exact fields? I.E. if the event ID isn't present just show the field as blank?
So I could show both 4648 and 4624 in the same table on the same visualization with similar but not perfect matching fields?
Are you aggregating anything in this data table? If not, you can show these columns regardless of each doc having that field in the Discover table.
But I'm guessing you're getting some count of each of these IDs or something? Or the list of unique IDs?
I am splitting the rows like this ...
... the end goal of this is to show if/then logic behind the scenes... if event 4648 AND event 4697 happen for the same computer_name withing
@timestamp 5 minutes of each other display these in the table.
I'm thinking that's going to be pretty hard to do in Kibana (if it's even possible at all). I expected you would have to use the Advanced JSON Input field. Here's one example;
Wow, nice script
@colings86 and @jpountz @EricK if you have scripting enabled in elasticsearch you can use it within your date_histogram by overriding the aggregations parameters with the "JSON input" advanced config option. This would look something like the screenshot below (note the field: null bit which removes the field parameter from the params): [image]
You might need to post a question in the Elasticsearch channel to ask how to write the appropriate query and then come back to Kibana and try to create the visualization .
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.