I am working on a query to extract all successful authentications (events 4624, 4768 and 4769) per user per day. The problem I am running into is the fact that the Account_Name field can be present more than once (twice in the event 4624). If I use the query:
source="wineventlog:security" (EventCode="4624" OR (EventCode="4768" OR EventCode="4769") (action="success")
the first occurrence of the Account_Name will always be selected for the user name, which in case of event 4624 is wrong and I get false results. If I change the index for the search of the Account_Name to point at the second value:
eval login_account=mvindex(Account_Name,1)
than only events 4624 will be processed and I will loose the information from events 4768 and 4769.
There must be a way of writing an expression which will take care of both cases. Can somebody shed some light here?
Thanks
... View more