Hello,
I have these two searches:
sourcetype=pan:threat src IN (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12)
| where raw_category = "web-advertisements"
| stats count by src
| sort count DESC
and
sourcetype="WinEventLog:Security"
| stats count by Account_Name
| top limit=1 Account_Name
| table Account_Name
The src field from "pan:threat" sourcetype will be found as "Source Address" or "Source Network Address" on "WinEventLog:Security" sourcetype.
I want to retrieve the Account_Name field from "WinEventLog:Security" for each src on "pan:threat" and show them in a table with src and count from "pan:threat" and Account_Name from "WinEventLog:Security". is this possible?
Thanks in advance.
... View more