Hello All,
I created a query that looks for event 4767 (A user account was unlocked) and it returns the date/time of the event, the Administrator (Account_Name) who unlocked the account and the user who's account was unlocked. The problem is that it also lists the user's account under the "who unlocked the user" column. I think the query is pulling that information from the Target Account --> Account Name field. How do I exclude that from my results?
Here is my query:
index="wineventlog" EventCode=4767 user=$users$ | stats count by _time, Account_Name, user | fields - count | sort - _time
... View more