This search doesn't really give me what an need nor does the ES-TA. I need to figure out how I can determine if a single user is or has logged into more that one host from totally different devices over the day. I have some ideas but this seems slightly storage to write a search. Here's what I have
I managed to create the report using this search
index="oswinsec" (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user
| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users
Will something like this work for the single condition and how would I modify it to if the user is also logged in PTO one or more devices using the same user name?
Thx
How about this
updated typos
index="oswinsec" (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown) | bucket span=1d _time
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs" , values(dvc) as "Domains Controller", count as Total_time_logged_in by _time user | where Number_logged_hosts>1
| rename user as Users, count as
| sort -Number_logged_hosts Users
Well, that's a start somesoni2 - Thank you. Aside from where I am getting unbalanced quotes (Logins IP's) I believe
I then am thrown the following
Error in 'stats' command: The argument 'Total_time_logged_in' is invalid.
Anyone else have thoughts on this?
@somesoni2 I forgot to say a big thanks!~
Well this search will execute however I'm baffled why it believes the above argument is invalid
index=oswinsec (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs", values(dvc) as "Domain Controller", count by user
| rename user as Users
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users
Fixed the typos. Give it a try again.
Hmm same message - Error in 'stats' command: The argument 'Total_time_logged_in' is invalid.