hi guys i wanted to search for a list of failed login attempts by privileged users from existing successful logons (EventCode=4672).
I tied to do a subsearch but resulting in a false positive
Other non-privilleged users also comes in to my result.
index=main sourcetype="wineventlog:security" EventCode=4625
| eval Account_Name=mvindex(Account_Name,1)
| search Account_Name!=$
| append
[ search index=main sourcetype="wineventlog:security" EventCode=4672 Account_Name!=$
| table Account_Name]
| table _time EventCode Account_Name
@hok2010
Can you please try this?
index=main sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4672 )
| eval Account_Name=mvindex(Account_Name,1)
| search Account_Name!=$
| table _time EventCode Account_Name
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name
My Sample Seach:
| makeresults
| eval EventCode=4625,Account_Name="AAA"
| append
[| makeresults
| eval EventCode=4625,Account_Name="BBB"]
| append
[| makeresults
| eval EventCode=4672,Account_Name="BBB"]
| search (EventCode=4625 OR EventCode=4672 )
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name
Thanks