I'm trying to do some least common occurance hunting in our environment, and would like to see if I can make a search that will show me hosts with low counts of user logons (say, less than 5?).
So, if my machine had me log in 30 times, and a pc tech once, even though it's legit it would show the pc tech on my machine in the search.
@rwmilligan,
what about rare user
?
Assuming the user is xyz.
index=_internal file=login user!=- NOT streamedsearch user=xyz |stats count by host user | where count<5
Not by user... I would like it to show ANY user with low counts on any machine. I'll try the "rare user" command listed above, see how that works out for me.