Worked Query for specific IP say 10.10.10.10
index=wineventlog sourcetype="WinEventLog:Security" eventtype=wineventlog_security name="An account was successfully logged on" src_ip=* eventtype=windows_logon_success (Authentication_Package=Kerberos user!=$) OR (user=$) [search index=pan_logs "app:subcategory"="remote-access" "teamviewer-base" src_ip=10.10.10.10| fields src_ip | dedup src_ip | table src_ip| rename src_ip as search ]
| dedup user,src_ip| table user,src_ip | eval ComputerName=if(like(user,"%$"),user,null()) | eval user=if(isnull(ComputerName),user,null()) | table src_ip user ComputerName
| append [search index=pan_logs "app:subcategory"="remote-access" "teamviewer-base" src_ip=10.10.10.10 | dedup src_ip | table src_ip,action,application,app:subcategory]
| stats values(*) as * by src_ip
Did not work when I did this - Subnet
index=wineventlog sourcetype="WinEventLog:Security" eventtype=wineventlog_security name="An account was successfully logged on" src_ip=* eventtype=windows_logon_success (Authentication_Package=Kerberos user!=$) OR (user=$) [search index=pan_logs "app:subcategory"="remote-access" "teamviewer-base" src_ip=10.10.0.0/16 | fields src_ip | dedup src_ip | table src_ip| rename src_ip as search ]
| dedup user,src_ip| table user,src_ip | eval ComputerName=if(like(user,"%$"),user,null()) | eval user=if(isnull(ComputerName),user,null()) | table src_ip user ComputerName
| append [search index=pan_logs "app:subcategory"="remote-access" "teamviewer-base" src_ip=10.10.0.0/16 | dedup src_ip | table src_ip,action,application,app:subcategory]
| stats values(*) as * by src_ip
I tried something else that seems to work I am not 100% sure yet . I removed this from query "| rename src_ip as search"
index=wineventlog sourcetype="WinEventLog:Security" eventtype=wineventlog_security name="An account was successfully logged on" src_ip=* eventtype=windows_logon_success (Authentication_Package=Kerberos user!=$) OR (user=$) [search index=pan_logs "app:subcategory"="remote-access" "teamviewer-base" src_ip=10.10.0.0/16 | fields src_ip | dedup src_ip | table src_ip ]
| dedup user,src_ip| table user,src_ip | eval ComputerName=if(like(user,"%$"),user,null()) | eval user=if(isnull(ComputerName),user,null()) | table src_ip user ComputerName
| append [search index=pan_logs "app:subcategory"="remote-access" "teamviewer-base" src_ip=10.10.0.0/16 | dedup src_ip | table src_ip,action,application,app:subcategory]
| stats values(*) as * by src_ip
... View more