Hi.
How can I distinguish events with Authentication when «Unknown User Name» and when «Bad Password»?
(index="wineventlog" OR source=*WinEventLog*) Failure_Reason=* * ("Audit Failure") AND (ComputerName="*") AND * Message != "*privilege*" Account_Name != "*$*"
| eval user=mvindex(Account_Name,1)
| stats count by _time, ComputerName, user,Source_Network_Address, Keywords
| rex mode=sed field=Keywords "s/Audit\s//"
| rename ComputerName as host user as account, Source_Network_Address as src Keywords as action
| fields _time host account src action
| sort -_time
![alt text][1]
![alt text][2]
[1]: /storage/temp/225674-screenshot-1.png
[2]: /storage/temp/225675-untitled.png
↧