Hi all,
A past consultant of ours wrote the following correlation search to detect excessive user account lockouts:
index=wineventlog EventCode=4740| stats count min(_time) as firstTime max(_time) as lastTime by user, signature | `ctime(firstTime)` | `ctime(lastTime)` | search count > 5
The results display the following:
user | signature | count | firstTime | lastTime |
<user name> | A user account was locked out | <count> | 01/07/2021 07:57:10 | 01/14/2021 02:56:51 |
The count above is a total of lockouts from different machines in our environment over a period of time.
How can I add an additional column to list the actual machine names causing the lockouts (this data would be taken from the particular field "dest_nt_domain") And is there a better way of doing this?
ie)
user | signature | count | firstTime | lastTime | machines |
<user name> | A user account was locked out | <count> | 01/07/2021 07:57:10 | 01/14/2021 02:56:51 | <computer1>, <computer2>, ... |
Hi @Ewong,
Please try below;
index=wineventlog EventCode=4740
| stats count min(_time) as firstTime max(_time) as lastTime values(dest_nt_domain) as machines by user, signature
| `ctime(firstTime)`
| `ctime(lastTime)`
| search count > 5
If this reply helps you an upvote is appreciated.
Try this
index=wineventlog EventCode=4740| stats count min(_time) as firstTime max(_time) as lastTime, values(dest_nt_domain) as machines by user, signature | `ctime(firstTime)` | `ctime(lastTime)` | search count > 5
That worked remarkably, thank you!
Hi @Ewong,
Please try below;
index=wineventlog EventCode=4740
| stats count min(_time) as firstTime max(_time) as lastTime values(dest_nt_domain) as machines by user, signature
| `ctime(firstTime)`
| `ctime(lastTime)`
| search count > 5
If this reply helps you an upvote is appreciated.