{"id":7982,"date":"2026-03-04T22:50:12","date_gmt":"2026-03-04T20:50:12","guid":{"rendered":"https:\/\/scalemedia.co.za\/cybermedia\/?post_type=docs&#038;p=7982"},"modified":"2026-03-04T22:50:14","modified_gmt":"2026-03-04T20:50:14","password":"","slug":"siem-visualization-example-4","status":"publish","type":"docs","link":"https:\/\/scalemedia.co.za\/cybermedia\/docs\/siem-visualization-example-4\/","title":{"rendered":"SIEM Visualization Example 4"},"content":{"rendered":"\n<p><strong>Users Added Or Removed From A Local Group (Within A Specific Timeframe)<\/strong><\/p>\n\n\n\n<p>In this SIEM visualization example, we aim to create a visualization to monitor user additions or removals from the local &#8220;Administrators&#8221; group from March 5th 2023 to date.<\/p>\n\n\n\n<p>Our visualization will be based on the following Windows event logs.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=4732\" target=\"_blank\" rel=\"noreferrer noopener\">4732: A member was added to a security-enabled local group<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=4733\" target=\"_blank\" rel=\"noreferrer noopener\">4733: A member was removed from a security-enabled local group<\/a><\/li>\n<\/ul>\n\n\n\n<p>Navigate to the bottom of this section and click on&nbsp;<code>Click here to spawn the target system!<\/code>.<\/p>\n\n\n\n<p>Navigate to&nbsp;<code>http:\/\/[Target IP]:5601<\/code>, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;.<\/p>\n\n\n\n<p>A prebaked dashboard should be visible. Let&#8217;s click on the &#8220;pencil&#8221;\/edit icon.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization16.png\" alt=\"Elastic dashboard with SOC-Alerts listed, option to create or edit dashboards.\"\/><\/figure>\n\n\n\n<p>Now, to initiate the creation of our first visualization, we simply have to click on the &#8220;Create visualization&#8221; button.<\/p>\n\n\n\n<p>Upon initiating the creation of our first visualization, the following new window will appear with various options and settings.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization1.png\" alt=\"Elastic dashboard: Add filter, select windows index, bar vertical stacked chart.\"\/><\/figure>\n\n\n\n<p>There are four things for us to notice on this window:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A filter option that allows us to filter the data before creating a graph. In this case our goal is to display user additions or removals from the local &#8220;Administrators&#8221; group. We can use a filter to only consider event IDs that match\u00a0<code>4732 \u2013 A member was added to a security-enabled local group<\/code>\u00a0and\u00a0<code>4733 \u2013 A member was removed from a security-enabled local group<\/code>. We can also use a filter to only consider 4732 and 4733 events where the local group is the &#8220;Administrators&#8221; one.<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization44.png\" alt=\"Elastic dashboard filter: event.code is 4732 or 4733, group.name is administrators.\"><\/li>\n\n\n\n<li>This field indicates the data set (index) that we are going to use. It is common for data from various infrastructure sources to be separated into different indices, such as network, Windows, Linux, etc. In this particular example, we will specify\u00a0<code>windows*<\/code>\u00a0in the &#8220;Index pattern&#8221;.<\/li>\n\n\n\n<li>This search bar provides us with the ability to double-check the existence of a specific field within our data set, serving as another way to ensure that we are looking at the correct data. We are interested in the\u00a0<code>user.name.keyword<\/code>\u00a0field. We can use the search bar to quickly perform a search and verify if this field is present and discovered within our selected data set. This allows us to confirm that we are accessing the desired field and working with accurate data.<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization11.png\" alt=\"Elastic dashboard: Filter event.code 4625, search user fields.\"><\/li>\n\n\n\n<li>Lastly, this drop-down menu enables us to select the type of visualization we want to create. The default option displayed in the earlier image is &#8220;Bar vertical stacked&#8221;. If we click on that button, it will reveal additional available options (image redacted as not all options fit on the screen). From this expanded list, we can choose the desired visualization type that best suits our requirements and data presentation needs.<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization4.png\" alt=\"Visualization type menu: Bar vertical stacked selected.\"><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>For this visualization, let&#8217;s select the &#8220;Table&#8221; option. After selecting the &#8220;Table&#8221;, we can proceed to click on the &#8220;Rows&#8221; option. This will allow us to choose the specific data elements that we want to include in the table view.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization5.png\" alt=\"Table configuration: Add fields to Rows, Columns, and Metrics.\"\/><\/figure>\n\n\n\n<p>Let&#8217;s configure the &#8220;Rows&#8221; settings as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization6.png\" alt=\"Rows configuration: Select user.name.keyword, top 1000 values, ranked by count of records in descending order.\"\/><\/figure>\n\n\n\n<p>Moving forward, let&#8217;s close the &#8220;Rows&#8221; window and proceed to enter the &#8220;Metrics&#8221; configuration.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization7.png\" alt=\"Table configuration: Rows set to top values of user.name.keyword, add fields to Columns and Metrics.\"\/><\/figure>\n\n\n\n<p>In the &#8220;Metrics&#8221; window, let&#8217;s select &#8220;count&#8221; as the desired metric.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization8.png\" alt=\"Metrics selection: Choose 'Count' function.\"\/><\/figure>\n\n\n\n<p>One final addition to the table is to include some more &#8220;Rows&#8221; settings to enhance our understanding.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which user was added to or removed from the group? (<code>winlog.event_data.MemberSid.keyword<\/code>\u00a0field)<\/li>\n\n\n\n<li>To which group was the addition or the removal performed? (double-checking that it is the &#8220;Administrators&#8221; one) (<code>group.name.keyword<\/code>\u00a0field)<\/li>\n\n\n\n<li>Was the user added to or removed from the group? (<code>event.action.keyword<\/code>\u00a0field)<\/li>\n\n\n\n<li>On which machine did the action occur? (<code>host.name.keyword<\/code>\u00a0field)<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization46.png\" alt=\"Table showing top values of user.name, winlog.event_data.MemberSid, group.name, event.action, host.name, with record counts.\"><\/li>\n<\/ul>\n\n\n\n<p>Click on &#8220;Save and return&#8221;, and you will observe that the new visualization is added to the dashboard.<\/p>\n\n\n\n<p>As discussed, we want to monitor user additions or removals from the local &#8220;Administrators&#8221; group&nbsp;<em>within a specific timeframe (March 5th 2023 to date)<\/em>.<\/p>\n\n\n\n<p>We can narrow the scope of our visualization as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization47.png\" alt=\"Dashboard showing failed logon attempts and RDP logon for service account, with options to edit lens and create drilldown.\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization48.png\" alt=\"Dashboard showing failed logon attempts and RDP logon for service account, with options to customize time range.\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization50.png\" alt=\"Dashboard with failed logon attempts and RDP logon, showing panel time range customization to March 5, 2023.\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Users Added Or Removed From A Local Group (Within A Specific Timeframe) In this SIEM visualization example, we aim to create a visualization to monitor user additions or removals from the local &#8220;Administrators&#8221; group from March 5th 2023 to date. Our visualization will be based on the following Windows event logs. Navigate to the bottom&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"doc_category":[46],"doc_tag":[],"class_list":["post-7982","docs","type-docs","status-publish","hentry","doc_category-security-monitoring-siem-fundamentals"],"year_month":"2026-04","word_count":649,"total_views":0,"reactions":{"happy":0,"normal":0,"sad":0},"author_info":{"name":"admin","author_nicename":"admin","author_url":"https:\/\/scalemedia.co.za\/cybermedia\/author\/admin\/"},"doc_category_info":[{"term_name":"Security Monitoring &amp; SIEM Fundamentals","term_url":"https:\/\/scalemedia.co.za\/cybermedia\/docs-category\/security-monitoring-siem-fundamentals\/"}],"doc_tag_info":[],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7982"}],"version-history":[{"count":1,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7982\/revisions"}],"predecessor-version":[{"id":7983,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7982\/revisions\/7983"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7982"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_category?post=7982"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_tag?post=7982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}