I'm trying to take a search and put it into a data model. I really don't understand the documentation online about using root events and transaction events and the other stuff. I've done simple constraints with just one root event and that has been fine. I'm pretty sure I need to start with a root event but, since you can't put pipes in the constraints, I'm having a difficult time getting this search into the model. Here is the search:
(EventCode=4624 OR EventCode=4625) AND Logon_Type=3 Authentication_Package=NTLM NOT Account_Name="ANONYMOUS LOGON" AND Account_Domain="CHI" [ search EventCode=8001 NOT Domain_name_of_user="CHI" | where _time > relative_time(_time,"-5s") | eval Workstation_Name = host | fields + Workstation_Name ]
Any help with this is greatly appreciated!
... View more