gschanuel · April 26, 2022 19:06
diff --git a/event.json b/event.json
 {
  "@timestamp": "2022-04-20T22:05:01.466Z",
  "@metadata": {
    "beat": "metricbeat",
    "type": "_doc",
    "version": "7.17.0"
  },
  "metricset": {
    "name": "perfmon",
    "period": 10000
  },
  "event": {
    "dataset": "windows.perfmon",
    "module": "windows",
    "duration": 10001538300
  },
  "service": {
    "type": "windows"
  },
  "windows": {
    "perfmon": {
      "instance": "NTDS",
      "metrics": {
        "dra_inbound_bytes_total_sec": 4440.169084727925,
        "ds_pct_searches_from_kcc": 0.03787893769355319,
        "ds_security_descriptor_sub-operations_sec": 0.19998509558508842,
        "dra_inbound_bytes_compressed_intrasite_aftercomp_sinceboot": 5.81310384e+08,
        "rid_pool_request_successes_sinceboot": 0,
        "transitive_operations_sec": 0,
        "dra_outbound_values_total_sec": 4.899634841834666,
        "ds_security_descriptor_propagations_events": 0,
        "ldap_bind_time": 0,
        "database_recycles_sec": 0,
        "sam_enumerations_sec": 0,
        "dra_inbound_bytes_compressed_intrasite_beforecomp_sec": 3062.9717239812144,
        "ab_client_sessions": 0,
        "dra_highest_usn_committed_low_part": 7.22855177e+08,
        "dra_total_number_of_notenoughattrs_missingobject_failures_sinceboot": 0,
        "dra_number_of_nc_replication_calls_sinceboot": 115942,
        "dra_outbound_bytes_total_sinceboot": 1.764506393e+09,
        "dra_inbound_link_value_updates_remaining_in_packet": 0,
        "ds_pct_reads_from_dra": 2.679516735759122e-05,
        "dra_outbound_bytes_compressed_intrasite_aftercomp_sec": 0,
        "dra_outbound_objects_sec": 2.1998360514359727,
        "phantoms_visited_sec": 0,
        "digest_binds_sec": 0,
        "ds_pct_searches_from_sam": 0.5666120344178661,
        "approximate_highest_dnt": 1.274518e+06,
        "ldap_active_threads": 0,
        "dra_outbound_properties_sec": 4.899634841834666,
        "atq_queue_latency": 0,
        "ds_pct_writes_from_dra": 12.2073473382502,
        "dra_highest_usn_committed_high_part": 0,
        "dra_inbound_bytes_insite_sec": 1977.4526251453542,
        "ds_pct_writes_from_ldap": 28.355587402565625,
        "ldap_page_search_cache_entries_count": 0,
        "dra_outbound_bytes_insite_sec": 5000.427330009551,
        "ab_property_reads_sec": 0,
        "ds_directory_searches_sec": 42.49683281183129,
        "sam_user_creation_attempts_sec": 0,
        "ds_search_sub-operations_sec": 169.1873908649848,
        "ds_pct_reads_from_ntdsapi": 0.04170667799209074,
        "sam_non-transitive_membership_evaluations_sec": 11.599135543935128,
        "ds_threads_in_use": 0,
        "ab_anr_sec": 0,
        "dra_inbound_bytes_insite_sinceboot": 1.28224172e+09,
        "ds_server_binds_sec": 0,
        "sam_successful_computer_creations_sec_includes_all_requests": 0,
        "database_deletes_sec": 0,
        "ldap_new_ssl_connections_sec": 0,
        "ds_name_cache_hit_rate": 78.8044109112014,
        "sam_membership_changes_sec": 0,
        "ds_security_descriptor_propagator_runtime_queue": 0,
        "ldap_successful_binds_sec": 7.899411275610992,
        "dra_total_number_of_preempted_failures_sinceboot": 0,
        "dra_inbound_bytes_total_sinceboot": 1.863552104e+09,
        "sam_display_information_queries_sec": 0,
        "rid_pool_request_failures_sinceboot": 0,
        "ds_pct_writes_from_kcc": 0.2034324862805411,
        "ds_pct_searches_from_lsa": 0.5135685048298149,
        "ds_security_descriptor_propagator_average_exclusion_time": 0,
        "database_adds_sec": 0,
        "ds_pct_writes_from_ntdsapi": 7.5359152714180855,
        "dra_threads_getting_nc_changes_holding_semaphore": 0,
        "ds_pct_reads_from_lsa": 2.611195757789104,
        "dra_outbound_bytes_total_sec": 5000.427330009551,
        "ldap_new_connections_sec": 8.199388918988625,
        "ds_directory_reads_sec": 45.496609245607615,
        "atq_threads_ldap": 0,
        "dra_inbound_properties_filtered_sec": 0.09999254779254421,
        "dra_total_time_of_applying_replication_package_sinceboot": 54085,
        "ds_pct_searches_from_nspi": 0,
        "dra_inbound_properties_total_sec": 0.19998509558508842,
        "dra_pending_replication_synchronizations": 0,
        "atq_threads_total": 8,
        "ds_client_binds_sec": 6.699500702100462,
        "ntlm_binds_sec": 0,
        "dra_inbound_values_total_sec": 0.19998509558508842,
        "dra_sync_failures_on_schema_mismatch": 0,
        "rid_pool_invalidations_sinceboot": 0,
        "sam_password_changes_sec": 0,
        "ds_pct_writes_from_sam": 51.46055437100213,
        "ldap_page_search_cache_size": 0,
        "ds_client_name_translations_sec": 3.399746624946503,
        "ds_pct_searches_from_dra": 0,
        "phantoms_cleaned_sec": 0,
        "dra_inbound_properties_applied_sec": 0.09999254779254421,
        "ldap_writes_sec": 1.1999105735105304,
        "ldap_closed_connections_sec": 8.999329301328979,
        "ldap_udp_operations_sec": 1.9998509558508841,
        "atq_request_latency": 0,
        "dra_highest_usn_issued_high_part": 0,
        "ab_proxy_lookups_sec": 0,
        "ldap_client_sessions": 77,
        "dra_total_time_of_successfully_applying_replication_package_sinceboot": 54085,
        "dra_sync_requests_successful": 115943,
        "dra_threads_getting_nc_changes": 0,
        "dra_total_number_of_busy_failures_sinceboot": 0,
        "link_values_cleaned_sec": 0,
        "dra_total_time_on_waiting_async_replication_packages_sinceboot": 0,
        "sam_transitive_membership_evaluations_sec": 66.4950442820419,
        "dra_inbound_object_updates_remaining_in_packet": 0,
        "ds_pct_searches_from_ntdsapi": 5.109250896695986,
        "atq_estimated_queue_delay": 0,
        "sam_account_group_evaluation_latency": 0,
        "subtree_searches_sec": 23.398256183455345,
        "dra_total_time_of_successful_nc_replication_calls_sinceboot": 2.173537e+06,
        "ldap_searches_sec": 24.298189113588244,
        "onelevel_searches_sec": 0,
        "dra_inbound_full_sync_objects_remaining": 0,
        "fast_binds_sec": 0,
        "sam_resource_group_evaluation_latency": 0,
        "database_modifys_sec": 1.9998509558508841,
        "dra_inbound_objects_applied_sec": 0.7999403823403537,
        "ds_pct_writes_from_lsa": 0.007165577265895348,
        "dra_outbound_values_dns_only_sec": 0,
        "base_searches_sec": 19.098576628375945,
        "tombstones_visited_sec": 0,
        "dra_pending_replication_operations": 0,
        "external_binds_sec": 0,
        "dra_inbound_sync_link_deletion_sec": 0,
        "ds_pct_writes_other": 0.22982278304030201,
        "ds_pct_reads_from_kcc": 0.1169609055158857,
        "ds_notify_queue_size": 0,
        "dra_total_time_on_waiting_sync_replication_packages_sinceboot": 1.837956e+06,
        "dirsync_session_throttling_rate": 0,
        "sam_global_group_membership_evaluations_sec": 2.099843503643428,
        "transitive_operations_milliseconds_run": 0,
        "ds_monitor_list_size": 24,
        "simple_binds_sec": 0,
        "ds_directory_writes_sec": 1.9998509558508841,
        "dra_number_of_successful_nc_replication_calls_sinceboot": 115922,
        "dra_inbound_objects_filtered_sec": 0,
        "ds_server_name_translations_sec": 17.898666054865412,
        "tombstones_garbage_collected_sec": 0,
        "sam_successful_user_creations_sec": 0,
        "ab_browses_sec": 0,
        "dra_inbound_bytes_compressed_intrasite_aftercomp_sec": 2462.716459582571,
        "dra_inbound_link_values_sec": 0,
        "sam_domain_local_group_membership_evaluations_sec": 44.99664650664489,
        "ds_pct_searches_from_ldap": 60.387577731049625,
        "transitive_suboperations_sec": 0,
        "dra_total_number_of_missingparent_failures_sinceboot": 1,
        "atq_outstanding_queued_requests": 0,
        "negotiated_binds_sec": 7.899411275610992,
        "dra_inbound_objects_sec": 0.09999254779254421,
        "dra_sync_requests_made": 115943,
        "ab_matches_sec": 0,
        "ds_pct_reads_from_sam": 97.17242656700651,
        "ds_pct_writes_from_nspi": 0,
        "dra_inbound_total_updates_remaining_in_packet": 0,
        "dra_highest_usn_issued_low_part": 7.22855177e+08,
        "dra_outbound_bytes_compressed_intrasite_beforecomp_sinceboot": 194696,
        "sam_universal_group_membership_evaluations_sec": 19.398554271753575,
        "dirsync_sessions_in_progress": 0,
        "ds_pct_reads_from_nspi": 0,
        "ab_searches_sec": 0,
        "sam_gc_evaluations_sec": 0,
        "ds_pct_reads_other": 0.05755601948410594,
        "dra_outbound_bytes_compressed_intrasite_aftercomp_sinceboot": 104809,
        "dra_inbound_bytes_compressed_intrasite_beforecomp_sinceboot": 7.484026e+08,
        "dra_total_time_of_nc_replication_calls_sinceboot": 2.173724e+06,
        "sam_machine_creation_attempts_sec": 0,
        "dra_outbound_bytes_compressed_intrasite_beforecomp_sec": 0,
        "ds_pct_searches_other": 33.38475643607759,
        "dra_outbound_objects_filtered_sec": 0.39997019117017685,
        "dra_inbound_values_dns_only_sec": 0,
        "atq_threads_other": 0
      },
      "object": "DirectoryServices"
    }
  },
  "tags": [
    "NTDS"
  ],
  "ecs": {
    "version": "1.12.0"
  }
 }
	{
	"@timestamp": "2022-04-20T22:05:01.466Z",
	"@metadata": {
	"beat": "metricbeat",
	"type": "_doc",
	"version": "7.17.0"
	},
	"metricset": {
	"name": "perfmon",
	"period": 10000
	},
	"event": {
	"dataset": "windows.perfmon",
	"module": "windows",
	"duration": 10001538300
	},
	"service": {
	"type": "windows"
	},
	"windows": {
	"perfmon": {
	"instance": "NTDS",
	"metrics": {
	"dra_inbound_bytes_total_sec": 4440.169084727925,
	"ds_pct_searches_from_kcc": 0.03787893769355319,
	"ds_security_descriptor_sub-operations_sec": 0.19998509558508842,
	"dra_inbound_bytes_compressed_intrasite_aftercomp_sinceboot": 5.81310384e+08,
	"rid_pool_request_successes_sinceboot": 0,
	"transitive_operations_sec": 0,
	"dra_outbound_values_total_sec": 4.899634841834666,
	"ds_security_descriptor_propagations_events": 0,
	"ldap_bind_time": 0,
	"database_recycles_sec": 0,
	"sam_enumerations_sec": 0,
	"dra_inbound_bytes_compressed_intrasite_beforecomp_sec": 3062.9717239812144,
	"ab_client_sessions": 0,
	"dra_highest_usn_committed_low_part": 7.22855177e+08,
	"dra_total_number_of_notenoughattrs_missingobject_failures_sinceboot": 0,
	"dra_number_of_nc_replication_calls_sinceboot": 115942,
	"dra_outbound_bytes_total_sinceboot": 1.764506393e+09,
	"dra_inbound_link_value_updates_remaining_in_packet": 0,
	"ds_pct_reads_from_dra": 2.679516735759122e-05,
	"dra_outbound_bytes_compressed_intrasite_aftercomp_sec": 0,
	"dra_outbound_objects_sec": 2.1998360514359727,
	"phantoms_visited_sec": 0,
	"digest_binds_sec": 0,
	"ds_pct_searches_from_sam": 0.5666120344178661,
	"approximate_highest_dnt": 1.274518e+06,
	"ldap_active_threads": 0,
	"dra_outbound_properties_sec": 4.899634841834666,
	"atq_queue_latency": 0,
	"ds_pct_writes_from_dra": 12.2073473382502,
	"dra_highest_usn_committed_high_part": 0,
	"dra_inbound_bytes_insite_sec": 1977.4526251453542,
	"ds_pct_writes_from_ldap": 28.355587402565625,
	"ldap_page_search_cache_entries_count": 0,
	"dra_outbound_bytes_insite_sec": 5000.427330009551,
	"ab_property_reads_sec": 0,
	"ds_directory_searches_sec": 42.49683281183129,
	"sam_user_creation_attempts_sec": 0,
	"ds_search_sub-operations_sec": 169.1873908649848,
	"ds_pct_reads_from_ntdsapi": 0.04170667799209074,
	"sam_non-transitive_membership_evaluations_sec": 11.599135543935128,
	"ds_threads_in_use": 0,
	"ab_anr_sec": 0,
	"dra_inbound_bytes_insite_sinceboot": 1.28224172e+09,
	"ds_server_binds_sec": 0,
	"sam_successful_computer_creations_sec_includes_all_requests": 0,
	"database_deletes_sec": 0,
	"ldap_new_ssl_connections_sec": 0,
	"ds_name_cache_hit_rate": 78.8044109112014,
	"sam_membership_changes_sec": 0,
	"ds_security_descriptor_propagator_runtime_queue": 0,
	"ldap_successful_binds_sec": 7.899411275610992,
	"dra_total_number_of_preempted_failures_sinceboot": 0,
	"dra_inbound_bytes_total_sinceboot": 1.863552104e+09,
	"sam_display_information_queries_sec": 0,
	"rid_pool_request_failures_sinceboot": 0,
	"ds_pct_writes_from_kcc": 0.2034324862805411,
	"ds_pct_searches_from_lsa": 0.5135685048298149,
	"ds_security_descriptor_propagator_average_exclusion_time": 0,
	"database_adds_sec": 0,
	"ds_pct_writes_from_ntdsapi": 7.5359152714180855,
	"dra_threads_getting_nc_changes_holding_semaphore": 0,
	"ds_pct_reads_from_lsa": 2.611195757789104,
	"dra_outbound_bytes_total_sec": 5000.427330009551,
	"ldap_new_connections_sec": 8.199388918988625,
	"ds_directory_reads_sec": 45.496609245607615,
	"atq_threads_ldap": 0,
	"dra_inbound_properties_filtered_sec": 0.09999254779254421,
	"dra_total_time_of_applying_replication_package_sinceboot": 54085,
	"ds_pct_searches_from_nspi": 0,
	"dra_inbound_properties_total_sec": 0.19998509558508842,
	"dra_pending_replication_synchronizations": 0,
	"atq_threads_total": 8,
	"ds_client_binds_sec": 6.699500702100462,
	"ntlm_binds_sec": 0,
	"dra_inbound_values_total_sec": 0.19998509558508842,
	"dra_sync_failures_on_schema_mismatch": 0,
	"rid_pool_invalidations_sinceboot": 0,
	"sam_password_changes_sec": 0,
	"ds_pct_writes_from_sam": 51.46055437100213,
	"ldap_page_search_cache_size": 0,
	"ds_client_name_translations_sec": 3.399746624946503,
	"ds_pct_searches_from_dra": 0,
	"phantoms_cleaned_sec": 0,
	"dra_inbound_properties_applied_sec": 0.09999254779254421,
	"ldap_writes_sec": 1.1999105735105304,
	"ldap_closed_connections_sec": 8.999329301328979,
	"ldap_udp_operations_sec": 1.9998509558508841,
	"atq_request_latency": 0,
	"dra_highest_usn_issued_high_part": 0,
	"ab_proxy_lookups_sec": 0,
	"ldap_client_sessions": 77,
	"dra_total_time_of_successfully_applying_replication_package_sinceboot": 54085,
	"dra_sync_requests_successful": 115943,
	"dra_threads_getting_nc_changes": 0,
	"dra_total_number_of_busy_failures_sinceboot": 0,
	"link_values_cleaned_sec": 0,
	"dra_total_time_on_waiting_async_replication_packages_sinceboot": 0,
	"sam_transitive_membership_evaluations_sec": 66.4950442820419,
	"dra_inbound_object_updates_remaining_in_packet": 0,
	"ds_pct_searches_from_ntdsapi": 5.109250896695986,
	"atq_estimated_queue_delay": 0,
	"sam_account_group_evaluation_latency": 0,
	"subtree_searches_sec": 23.398256183455345,
	"dra_total_time_of_successful_nc_replication_calls_sinceboot": 2.173537e+06,
	"ldap_searches_sec": 24.298189113588244,
	"onelevel_searches_sec": 0,
	"dra_inbound_full_sync_objects_remaining": 0,
	"fast_binds_sec": 0,
	"sam_resource_group_evaluation_latency": 0,
	"database_modifys_sec": 1.9998509558508841,
	"dra_inbound_objects_applied_sec": 0.7999403823403537,
	"ds_pct_writes_from_lsa": 0.007165577265895348,
	"dra_outbound_values_dns_only_sec": 0,
	"base_searches_sec": 19.098576628375945,
	"tombstones_visited_sec": 0,
	"dra_pending_replication_operations": 0,
	"external_binds_sec": 0,
	"dra_inbound_sync_link_deletion_sec": 0,
	"ds_pct_writes_other": 0.22982278304030201,
	"ds_pct_reads_from_kcc": 0.1169609055158857,
	"ds_notify_queue_size": 0,
	"dra_total_time_on_waiting_sync_replication_packages_sinceboot": 1.837956e+06,
	"dirsync_session_throttling_rate": 0,
	"sam_global_group_membership_evaluations_sec": 2.099843503643428,
	"transitive_operations_milliseconds_run": 0,
	"ds_monitor_list_size": 24,
	"simple_binds_sec": 0,
	"ds_directory_writes_sec": 1.9998509558508841,
	"dra_number_of_successful_nc_replication_calls_sinceboot": 115922,
	"dra_inbound_objects_filtered_sec": 0,
	"ds_server_name_translations_sec": 17.898666054865412,
	"tombstones_garbage_collected_sec": 0,
	"sam_successful_user_creations_sec": 0,
	"ab_browses_sec": 0,
	"dra_inbound_bytes_compressed_intrasite_aftercomp_sec": 2462.716459582571,
	"dra_inbound_link_values_sec": 0,
	"sam_domain_local_group_membership_evaluations_sec": 44.99664650664489,
	"ds_pct_searches_from_ldap": 60.387577731049625,
	"transitive_suboperations_sec": 0,
	"dra_total_number_of_missingparent_failures_sinceboot": 1,
	"atq_outstanding_queued_requests": 0,
	"negotiated_binds_sec": 7.899411275610992,
	"dra_inbound_objects_sec": 0.09999254779254421,
	"dra_sync_requests_made": 115943,
	"ab_matches_sec": 0,
	"ds_pct_reads_from_sam": 97.17242656700651,
	"ds_pct_writes_from_nspi": 0,
	"dra_inbound_total_updates_remaining_in_packet": 0,
	"dra_highest_usn_issued_low_part": 7.22855177e+08,
	"dra_outbound_bytes_compressed_intrasite_beforecomp_sinceboot": 194696,
	"sam_universal_group_membership_evaluations_sec": 19.398554271753575,
	"dirsync_sessions_in_progress": 0,
	"ds_pct_reads_from_nspi": 0,
	"ab_searches_sec": 0,
	"sam_gc_evaluations_sec": 0,
	"ds_pct_reads_other": 0.05755601948410594,
	"dra_outbound_bytes_compressed_intrasite_aftercomp_sinceboot": 104809,
	"dra_inbound_bytes_compressed_intrasite_beforecomp_sinceboot": 7.484026e+08,
	"dra_total_time_of_nc_replication_calls_sinceboot": 2.173724e+06,
	"sam_machine_creation_attempts_sec": 0,
	"dra_outbound_bytes_compressed_intrasite_beforecomp_sec": 0,
	"ds_pct_searches_other": 33.38475643607759,
	"dra_outbound_objects_filtered_sec": 0.39997019117017685,
	"dra_inbound_values_dns_only_sec": 0,
	"atq_threads_other": 0
	},
	"object": "DirectoryServices"
	}
	},
	"tags": [
	"NTDS"
	],
	"ecs": {
	"version": "1.12.0"
	}
	}