I'm trying to find out which users are logging on two machines at the same time (sharing login)
I already know some log fields and started to make a sketch, but I think I'm on the wrong track ...
host=ADServer sourcetype="WinEventLog:Security" NOT User=*$ EventCode=540 OR EventCode=538 | transaction startswith=EventCode="540" endswith=EventCode="538" | eval duration=tostring(duration,"duration") | table _time user duration name EventCode ComputerName Source_Network_Address
What I would do was to show just who logged in more than two machines. Could someone help me
I managed to create the report using this search
sourcetype="WinEventLog:Security" OR (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user
| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users
hi, since the data is tagged for CIM, it should be easier to use tags and eventtypes:
tag=authentication eventtype="windows_logon*" | eventstats count(dest) as dest_count by user | timechart max(dest_count) by user
If you have the CIM installed I also got good results with Search->Pivot -> Authentication -> Successful Authentication. I added a filter for Sourcetype starts with win*, split the row by user, and the column by dest to get a table. Or use the scatter plot to map distinct counts of users and dests.