Hello,
I am trying to filter out events when the source username and destination username are the same, but it is not working when I use the `where` and `NOT field1= field2` function. Is it because I have spaces in the field names? I tried to rename them as different fields and tried the where clause, but it still didn't work. Any help is greatly appreciated.
Here is the search:
| NOT ("Source User Name"="ANONYMOUS LOGON" OR "Source User Name"=*$) Name!="A user account was changed." | stats dc(Name) as UniqueActionCount, values(Name) as UniqueAction by "Source User Name" | where NOT "Source User Name"="Destination User Name"
Thank you.
↧