Hello.
Again, these lookups ). The hardest thing about queries.
The request itself is the identification of users who logged in not from their workstation.
index=windows user!=*$
|search (EventCode=4776 OR EventCode=4624)
|transaction user startswith=(EventCode="4624") endswith=(EventCode="4776")
|lookup workst_user hostname as Source_Workstation OUTPUT user as login
|table _time,EventCode,user,Source_Network_Address,Source_Workstation,dest_nt_host,name,status,dest,Logon_Type,Logon_Process
Fields from Source_Workstation and user events are compared. Fields from the hostname and login list workst_user.
The comparison itself - machines are compared among themselves, and users are among themselves. If any of the comparisons is incorrect, the output of non-matching fields in the event is incorrect. How to build the right look from these conditions ?