I'm currently trying to find any user that might have had successful logins from multiple source ip addresses. I've looked all over and can't seem to figure this out. Is there a way to do this within the search?
Figured it out.... Feel free to make it better.
eventtype="windows-security-4625" | stats dc(src_ip) by Account_Name | search "dc(src_ip)" > 1 |sort "dc(src_ip)" asc
Seems to work fine, but it would be cool to have it also spit out the various src_ips. I'm still playing with it.
View solution in original post