Management Activities index="$idx$" sourcetype="$st$" |timechart span=1d count(eval(EventCode="626" OR EventCode="627" OR EventCode="628" OR EventCode="629" OR EventCode="632" OR EventCode="633" OR EventCode="636" OR EventCode="637" OR EventCode="644" OR EventCode="650" OR EventCode="651" OR EventCode="655" OR EventCode="656" OR EventCode="660" OR EventCode="661" OR EventCode="665" OR EventCode="666" OR EventCode="671" OR EventCode="685" OR EventCode="4722" OR EventCode="4723" OR EventCode="4724" OR EventCode="4725" OR EventCode="4728" OR EventCode="4729" OR EventCode="4732" OR EventCode="4733" OR EventCode="4740" OR EventCode="4746" OR EventCode="4747" OR EventCode="4751" OR EventCode="4752" OR EventCode="4756" OR EventCode="4757" OR EventCode="4761" OR EventCode="4762" OR EventCode="4767" OR EventCode="4781")) AS acc_modified,count(eval(EventCode="624" OR EventCode="645" OR EventCode="4720" OR EventCode="4741")) AS acc_created,count(eval(EventCode="630" OR EventCode="647" OR EventCode="4726" OR EventCode="4743")) AS acc_removed,count(eval(EventCode="626" OR EventCode="4722")) AS acc_enabled,count(eval(EventCode="629" OR EventCode="4725")) AS acc_disabled,count(eval(EventCode="644" OR EventCode="4740")) AS acc_locked,count(eval(EventCode="671" OR EventCode="4767")) AS acc_unlocked $field1.earliest$ $field1.latest$

Select The Index All * index index | eventcount summarize=false index=* | dedup index | fields index Select Sourcetype WinEventLog:Security WinEventLog:Security sourcetype sourcetype |metadata type=sourcetypes|table sourcetype|search NOT sourcetype="WinEventLog:Security" Date -7d@h now

|table _time acc_created |sort _time none value block 0 ["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"] [0,30,70,100] 1 1 standard absolute after 1 1 -24h |table _time acc_removed |sort _time none value block 0 ["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"] [0,30,70,100] 1 1 standard absolute after 1 1 -24h |table _time acc_modified |sort _time none value block 0 ["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"] [0,30,70,100] 1 1 standard absolute after 1 1 -24h |table _time acc_created acc_removed|timechart sum(acc_created) AS acc_created,sum(acc_removed) AS acc_removed area ellipsisNone 0 visible visible visible linear linear 0 inherit 50 10 area gaps all true 0.01 stacked shiny all 0 0 ellipsisMiddle right |timechart sum(acc_disabled) AS acc_disabled,sum(acc_enabled) AS acc_enabled column ellipsisNone 0 visible visible visible linear linear 0 inherit 50 10 area gaps none 0.01 stacked shiny all 0 0 ellipsisMiddle bottom |timechart sum(acc_locked) AS acc_locked,sum(acc_unlocked) AS acc_unlocked bar ellipsisNone 0 visible visible visible linear linear 0 inherit 50 10 area gaps none 0.01 stacked shiny all 0 0 ellipsisMiddle bottom index="$idx$" sourcetype="$st$" (EventCode="4947" OR EventCode="4946" OR EventCode="4948") |timechart count $field1.earliest$ $field1.latest$ ellipsisNone 0 visible visible visible linear linear 0 inherit line 50 10 area gaps all true 0.01 default shiny all 0 0 ellipsisMiddle right index="$idx$" sourcetype="$st$" (EventCode=612 OR EventCode=4715 OR EventCode="643" OR EventCode="4739") |timechart count -7d@h now ellipsisNone 0 visible visible visible linear linear 0 inherit column 50 10 area gaps all 0.01 default shiny all 0 0 ellipsisMiddle right