I'm trying to query instances where Security_ID != {Domain Name}\Account_Name in the security event logs per Microsoft's guidance, but I can't concatenate the Domain Name and Account Name in the query.
E.g. CONTOSO\bob != bob
All help is appreciated!!
I believe this is what you are looking for.
sourcetype=WinEventLog:Security EventCode=4624 | eval Logon_Account_Name = mvindex(Account_Name,1) | eval Logon_Account_Name=upper(Logon_Account_Name) | eval Sec_ID = mvindex(Security_ID,1) | eval temp=split(Sec_ID,"\\") | eval Sec_ID=mvindex(temp,1) | eval Sec_ID=upper(Sec_ID) | Where Sec_ID != Logon_Account_Name | stats count by Sec_ID, Logon_Account_Name
I believe this is what you are looking for.
sourcetype=WinEventLog:Security EventCode=4624 | eval Logon_Account_Name = mvindex(Account_Name,1) | eval Logon_Account_Name=upper(Logon_Account_Name) | eval Sec_ID = mvindex(Security_ID,1) | eval temp=split(Sec_ID,"\\") | eval Sec_ID=mvindex(temp,1) | eval Sec_ID=upper(Sec_ID) | Where Sec_ID != Logon_Account_Name | stats count by Sec_ID, Logon_Account_Name
That worked wonderfully! Thank you so much!
No Problem. I'm glad I could help.