the below search is what I have working now to see what users are not in the first event code.
index="wineventlog" EventCode="4723" status=success | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})" | stats count by user | table user| map search="search index="wineventlog" EventCode="4724" NOT user=$user$ status=success" | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)" |dedup _time| table _time, src_user, user,msad_action,status, ComputerName| rename src_user as "Admin Account", user as "ICFI Account", msad_action as "Action", status as "Result", ComputerName as "Domain Controller" | sort "Admin Account"
is there any way to speed this up it is taking a long time.
↧