Trying to find the best way to log anytime a number logs into more than 1 computer. Not sure the best approach for this. My current query is:
index=cisco_ise sourcetype="cisco:ise:syslog" (Framed_IP_Address=* AND Framed_IP_Address!="\\") (UserName="*.*" AND UserName!="sim*" AND UserName!="host//*" AND UserName!="\\")
| bin _time span=24h
| stats values(UserName) as User_Name, dc(UserName) as User_Name_Count by Framed_IP_Address, _time
| eval "Time Range"= strftime(_time,"%Y-%m-%d %H:%M:%S")
| eval "Time Range"= 'Time Range'.strftime(_time+3600,"- %H:%M:%S")
| sort -Framed_IP_Address
| where User_Name_Count > 1
And believe it or not, this actually gave me 1 result. I could see 2 users logged into the same machine. However, I don't believe it's the best way to write this/achieve this result. And was hoping to get some advice on how to tighten the query up.
Thank you in advanced.
↧