Hi Team,

I'm writing a search that will alert when a user account authenticates and is granted privileges. Our admin-team often use the Remote Control Viewer to remote into assets, and we would like to exclude them. Unfortunately, we don't have a standardised naming convention, so we can exclude some admin accounts, but not all of them.

I want to write a search that takes the Account_Name, and then runs a sub-search to identify whether that Account_Name has been associated with the New_Process_Name of *RemoteControlViewer.exe and, if they have, exclude them.

I've got the below logic and I've played around with multiple types of join and appendcols, but I'm getting nowhere. Can someone help?

sourcetype=WinEventLog:Security (EventCode=4732 OR EventCode=4672) AND (Account_Name!="svc*" Account_Name!="SYSTEM" Account_Name!="*$" Account_Name!="*dmin" Account_Domain="<DOMAIN>") 
| join Account_Name 
    [ search sourcetype=WinEventLog:Security EventCode=4688 
    | stats values(New_Process_Name) AS NPN by Account_Name
    | fields NPN] 
| search NOT 
    [| inputlookup WL_Global 
    | rename src as Source_Network_Address 
    | fields Source_Network_Address] 
| search NOT 
    [| inputlookup WL_B_10_104 
    | fields Account_Name, host] 
| fillnull value=N/A Group_Domain Group_Name 
| eval Target_Account=mvindex(Security_ID, -0) 
| convert ctime(_time) as Time timeformat="%H:%M:%S %d/%m/%y" 
| stats values(Account_Domain) as Account_Domain values(NPN) as New_PN values(name) as name values(Group_Name) as Group_Name values(Group_Domain) as Group_Domain by Account_Name host Time
| search New_PN!=*RemoteControlViewer.exe
| fields Time Account_Name host Account_Domain name Group_Name Group_Domain

Any assistance would be greatly appreciated.