Watcher alerting for winlogbeat

Hi,

I need to have watcher enabled or machine learning enabled for this specific function.

I have a saved search in kibana named as – Windows Event ID - 4740 - Account Lockout

It is a filter for only the event id 4740 from winlogbeat.

I would like to know or get notified when a unique count of event_data.TargetUserName has more than 4 entries in 24 hours

The notification I would like to have notification from either watcher or machine learning with these fields if that particular criteria was met

event_data.SubjectDomainName

event_data.SubjectUserName

event_data.TargetDomainName

event_data.TargetUserName

event_id

@timestamp

Please do let me know how to create a watcher for this
Thanks,
Raj

Hey,

basically this question boils down to the fact if you are able to write a query that is able to return your required data.

You need to execute a search that filters by timestamp and is doing a terms aggregation with a min doc count of 4 on the target user name field.

If you get back any aggregation results, than you need to execute a search transform to retrieve all the data of the usernames that were returned in the bucket, which then can be used in an action (like sending an email or sending a slack notification).

You might want to check the examples repo for watcher and this blog post to learn how to write and debug watches with short iteration circles.

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.