Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.
11-19-2020 03:21 AM
Hi All,
I was looking to get some help in how to model a graph to track and analyse active directory events (logins to computers).
I have 2 main nodes (users and computers) both are loaded from data exported from active directory.
The next step would be to load the event data (timestamp, user, computer, success/error) and build a relationship between the user and the computer node. I was wondering if I should use a relationship with attributes or add an additional node for the event?
One thing to consider is that it the event data is a very large dataset to be loaded and queried.
Thanks,
Holger
11-20-2020 10:04 AM
What questions are you planning to answer with this graph? It could possibly guide how you model it.
11-21-2020 05:36 AM
We want to detect abnormal user behaviour, like failed login attempts or logins outside of the normal hours etc.
We have as well more log data like (netflow, application logs etc) which we want to integrate into this graph to complete the picture.
11-22-2020 10:43 AM
Try this:
MERGE (u:User {name: "user1", id: "u1"})
MERGE (ed:EventDate {date:"20-11-06"})
MERGE (et:EventTime {time: "20:07:28", normalhours: "yes"})
MERGE (c:Computer {id: "xyz"})
MERGE (e1:Logins {success: "yes", attempts: 1, error: "NA"})
MERGE (u)-[:CONNECT_DATE]->(ed)
MERGE (ed)-[:CONNECT_TIME]-(et)
MERGE (et)-[:COMPUTER]->(c)
MERGE (c)-[:SUCCESS_FAILURE]->(e1)
RETURN u, ed, et, c, e1;
Result:
11-23-2020 06:43 AM
Hi, that looks interesting I'll try it out and let you know.
Thanks for your help!
All the sessions of the conference are now available online