EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| dedup Logon_Type
This is what is am trying to execute because i want to be alerted when my admin account (.a) is used. When i log in to the server and stay in and do nothing , the event triggers every 5 to 20 minutes on logon type 3 that i dont want, as i want to be alerted only once
For example, if my .a account is used to run a script that would create another .a account without actually logging in or RDP in to the sever, i should be alerted once with logon type 3. Therefore, i put where clause on logon type 3 if there is no preceding logon type 2 or 10.
Please advise!
... View more