Yes, but I'm guessing about the specifics you're after.
If you are talking about Windows 2K8 or Vista EventCode 4740, then you would filter on the Account_Domain field.
In this example you would change 'domain1' to one of your domains.
index=main EventCode=4740 Account_Domain=domain1 | eval Account_Name=mvindex(Account_Name,1)| table _time Account_Domain Account_Name Caller_Computer_Name
If you want to have the results sorted by domain, then use something like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)| table Account_Domain _time Account_Name Caller_Computer_Name
If you are talking about older Windows systems, then you would filter on the Caller_Domain field. For example:
index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name
If you have a mix, then you can combine the two like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)|eval Source=coalesce
(Caller_Computer_Name,ComputerName)| table Account_Domain _time Account_Name Source| rename Account_Domain AS Domain Account_Name AS Account |append [search index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name | rename Caller_Domain AS Domain Target_Account_Name AS Account Caller_Machine_Name AS Source]
Yes, but I'm guessing about the specifics you're after.
If you are talking about Windows 2K8 or Vista EventCode 4740, then you would filter on the Account_Domain field.
In this example you would change 'domain1' to one of your domains.
index=main EventCode=4740 Account_Domain=domain1 | eval Account_Name=mvindex(Account_Name,1)| table _time Account_Domain Account_Name Caller_Computer_Name
If you want to have the results sorted by domain, then use something like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)| table Account_Domain _time Account_Name Caller_Computer_Name
If you are talking about older Windows systems, then you would filter on the Caller_Domain field. For example:
index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name
If you have a mix, then you can combine the two like this:
index=main EventCode=4740 | eval Account_Name=mvindex(Account_Name,1)|eval Source=coalesce
(Caller_Computer_Name,ComputerName)| table Account_Domain _time Account_Name Source| rename Account_Domain AS Domain Account_Name AS Account |append [search index=main EventCode=644 | table Caller_Domain _time Target_Account_Name Caller_Machine_Name | rename Caller_Domain AS Domain Target_Account_Name AS Account Caller_Machine_Name AS Source]
No problem. Don't forget to accept the answer:)
Thank you for your most appreciated help 😉