I need an alert that notifies me when the SAME Account_Name logs into 2 specific hosts within the same 30 minute window. I'd like to see the events grouped by Account_Name. We auth with AD. Not sure the best way to do this. Logically, it works, but I only see events from the bracketed [search]. Any help would be appreciated. Thank you.
Here's what I have so far:
index=wineventlog earliest=-30m latest=now source="WinEventLog:Security" (src_ip="10.14.111.60")
| join Account_Name
[ search index=wineventlog earliest=-30m latest=now source="WinEventLog:Security" (src_ip="10.13.111.60") ]
... View more