A couple of things to add. How frequently would you run this search? I have been thinking about running it every 15 minutes for the last hour or maybe 2 hours. Should I reduce this to just interactive logon types such as 2,10, or 11? That way it pulls fewer events to compute? Also what is the best way to return the outliers, you have evals but shouldnt there be like a stats or something like that at the end after all the evals are computed? I feel that LogonType of 3 is very noisy but it is a net login so not sure how to report on this event.
index=wineventlog LogName=Security EventCode=4624 host!="DC" Account_Name!="$" Account_Name!="ANONYMOUS LOGON" Account_Name!="Service_Account"
| eval Account_Domain=(mvindex(Account_Domain,1))
| eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name)
| eval Account_Name=if(Account_Name="$",(mvindex(Account_Name,1)), Account_Name)
| eval Time=strftime(_time,"%Y/%m/%d %T")
| eval Logon_Type=case(Logon_Type=2,"Local Logon of Server",Logon_Type=8,"New Clear Text IIS Logon",Logon_Type=9,"RUN AS COMMAND",Logon_Type=4,"Batch Job",Logon_Type=5,"Scheduled Service",Logon_Type=3,"Net Use",1=1,Logon_Type)
| bin _time span=1h
| stats count values(Account_Domain) AS Domain, values(host) AS Host, dc(host) AS Host_Count, values(Logon_Type) AS Logon_Type, values(Workstation_Name) AS WS_Name, values(Source_Network_Address) AS Source_IP, values(Process_Name) AS Process_Name by Account_Name _time
| where Host_Count > 2
| streamstats window=2 avg(count) as avg stdev(count) as stdev by Account_Name
| eval lower_bound=avg-(stdev*1.5)
| eval upper_bound=avg+(stdev*1.5)
| eval isOutlier=if(count>upper_bound OR count
... View more