Thanks for your response, The required results is to determine if a system singe system was logging into multiple systems within a time period. If system credentials were compromised they may be logging into multiple systems within a time span. I understand event 4624 is a legitimate log, but it may indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if 10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m. I hope that clears up the requirements.
... View more