Graylog Pipeline Rules - Active Directory summaries for a Technical Support Service Desk

AD_User_Lockout_summarizer.gl_txt

rule "AD User Lockout event summarize"
when
  has_field("winlogbeat_event_data_TargetUserName") 
  AND contains(to_string($message.winlogbeat_event_id), "4740")
then
//Build up and add a summary field
let summarized_message = concat(to_string($message.winlogbeat_event_data_TargetUserName), " locked out from domain ");
let summarized_message = concat(summarized_message, to_string($message.winlogbeat_event_data_SubjectDomainName));
let summarized_message = concat(summarized_message, "\n\n  Reported from ");
let summarized_message = concat(summarized_message, to_string($message.source));
//Supplement
let supplemental =  to_string($message.winlogbeat_event_data_TargetDomainName);
//fancier version//let supplemental = first_non_null( [ to_string($message.winlogbeat_event_data_TargetDomainName), "(unknown)" ] );
let summarized_message = concat(summarized_message, "\n  Possibly implicated workstation/hostname: ");
let summarized_message = concat(summarized_message, to_string(supplemental));
//not needed for now//lookup_value("lookup_error", to_string($message.winlogbeat_event_data_SubStatus));
set_field("servicedesk_summary", to_string(summarized_message));
end