I am trying to alert on when a specific user logs into an affected / malware not cleaned machine. I am using the following search, but can't seem to get the join to work. All I see are the signatures from the Windows events, but nothing from McAfee..
index=wineventlog EventCode=4624 | lookup privileged_users.csv user | search nick="*" | join type=left user [search index=mcafee sourcetype="mcafee:epo:av" threat_handled=0 field user | rename user as pua] | stats count by pua
Thoughts?
↧