Hello,
So I'm looking to a use case where I have to create a table that shows multiple failed logins on the same workstation by different usernames.
Here's what I have so far:
index=windows* sourcetype=WinEventLog:Security EventCode=4625 | eval AccountName=mvindex(Account_Name, 1) | | stats values(AccountName) by Workstation_Name
That shows all accounts that failed to log in. I want the result where there are multiple failed accounts on the same workstation. So something like `....| where AccountName > 1`.
Please let me know if this makes sense. Thanks!
↧