Alert on Interactive logins

diegosainz · ‎10-15-2013

I am looking to run a daily report of users from a specific OU that are listed as logging in interactively (EventCode=4624 AND Logon_Type=3). Is there a way to run the subsearch to correlate that for a daily report?

lukejadamec · ‎10-15-2013

Schedule the following search to run once a day, and send you an email with the results.

index=main sourcetype="*security*" EventCode=4624 Logon_Type=3  |eval Account_Name=mvindex(Account_Name,1)|search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON"| dedup Account_Name,ComputerName |table _time,Account_Name,ComputerName

eval Account_Name=mvindex(Account_Name,1) Takes the second Account Name field from the event Message field. Check your logs to verify it is the second Account Name you're interested in, change the 1 to a 0 if you want the first. If you want to show both, let me know.

search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON" removes the system accounts and the NT Authority activity. Remove this if you want to show all accounts.

dedup Account_Name,ComputerName Takes the most recent pair and drops the others. Remove this if you want to show each logon event.

Alert on Interactive logins

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

Alert on Interactive logins

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025