I am not sure what that ask is here
What is your concern regarding plagarism? If I rewrite this SPL and you use it, are you then not plagarising my SPL?
It is not clear what NTLM (type 3) is - could you just change the Logon_Type or LogonType part of the search to look for 3 instead of 10?
Please share some anonymised events so we can see what you are dealing with, and an indication of the expected output?
This above query is based on
https://www.splunk.com/en_us/blog/security/active-directory-lateral-movement-detection-threat-resear...
if possible pls help me in making a query as per the sample event.
thanks
Sorry, I am not a security expert.