I have been asked to determine the logon frequency for a certain group of users (about 50) over a two month time span. That group has been entered into a lookup table.
I know I can create a search such as the following:
index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user
While I plan to run this as a report overnight because of the length of time it probably will take, I have a couple of challenges.....
Can I just put this into a table in a csv where it is a long list of users across the top and all the dates down the left side and each block has the number of events for that user on that day?
And when I try to do this, I get about eight names and the rest are bunched into one group called OTHER.
How do I make that other group break out so I can download a list showing individual names?
I hope that's clear...
That is the default behavior of the setting
limit of the timechart command, when it provides top 10 results and all others will be clubbed at OTHER. Use limit=0 to get all the values.
index=wineventlog source=WinEventLog:Security EventCode=4624 [inputlookup users.csv | fields user] |timechart span=1d count by user limit=0
See this for more information
this is a great login search that I use. Got most of it from the MalwareArchaeology.com
sourcetype="WinEventLog:Security" EventCode=4624 NOT (host=“DC1" OR host=“DC2" OR host=“DC…”) NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON") NOT (Account_Name="Service_Account") NOT [ inputlookup Trusted_Logon_Whitelist.csv | fields Account_Name Account_Domain Logon_Type ] | eval Account_Domain=(mvindex(Account_Domain,1)) | eval Account_Name=if(Account_Name="-",(mvindex(Account_Name,1)), Account_Name) | eval Account_Name=if(Account_Name="*$",(mvindex(Account_Name,1)), Account_Name) | eval Time=strftime(_time,"%Y/%m/%d %T") | stats count values(Account_Domain) AS Domain, values(host) AS Host, dc(host) AS Host_Count, values(Logon_Type) AS Logon_Type, values(Workstation_Name) AS From_WS_Name, values(Source_Network_Address) AS Source_IP, values(Process_Name) AS Process_Name by Account_Name | sort - Host_Count | where Host_Count > 2 | head 10 | fields - Host Source_IP
Not exacly what your looking for but might help you develop what your looking for.