Hi there,
I hope for some help with a query.
I'm using the following query to get a list of all failed login attempts and so far it works.
index=smth EventCode=4625 Account_Domain="*"
|fillnull value=NULL
|eval Account_Name = mvindex(Account_Name,1)
|eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count by host, Account_Name, LoginType, _time, Account_Domain
|sort -count
I'd like to check whether it's possible to define additional condition based on predefined timeframes.
For example, I want to list all failed logins for domain RUSSIA for Russia's out of office hours "from 6pm to 7am"
Then the same condition but for ASIA and so on.
So, the condition will be - if failed login domain equals RUSSIA and timeframe equals (predefined value) then show in the report.
Hope it's clear what I want to do 🙂
... View more