I am looking to run a daily report of users from a specific OU that are listed as logging in interactively (EventCode=4624 AND Logon_Type=3). Is there a way to run the subsearch to correlate that for a daily report?
Schedule the following search to run once a day, and send you an email with the results.
index=main sourcetype="*security*" EventCode=4624 Logon_Type=3 |eval Account_Name=mvindex(Account_Name,1)|search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON"| dedup Account_Name,ComputerName |table _time,Account_Name,ComputerName
eval Account_Name=mvindex(Account_Name,1) Takes the second Account Name field from the event Message field. Check your logs to verify it is the second Account Name you're interested in, change the 1 to a 0 if you want the first. If you want to show both, let me know.
search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON" removes the system accounts and the NT Authority activity. Remove this if you want to show all accounts.
dedup Account_Name,ComputerName Takes the most recent pair and drops the others. Remove this if you want to show each logon event.