This search doesn't really give me what an need nor does the ES-TA. I need to figure out how I can determine if a single user is or has logged into more that one host from totally different devices over the day. I have some ideas but this seems slightly storage to write a search. Here's what I have
I managed to create the report using this search
index="oswinsec" (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user
| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users
Will something like this work for the single condition and how would I modify it to if the user is also logged in PTO one or more devices using the same user name?
Thx
↧