I want to know how to determine if a user logged on to multiple machines within a certain time window, and also identify the particular machines where the user logged in.
I have used the search below, but machine names are not appearing:
sourcetype="WinEventLog:Security" OR (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs", values(dvc) as "Domains Controller", count by user
| rename user as Users, count as Total_time_logged_in
↧