Try this
index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | stats count(user) as Attempts dc(src_ip) as IPs by src_ip,user | where Attempts > 2 | table user Attempts IPs src_ip | sort -Attempts | join src_ip [search index=network_dhcp | stats count by nt_host dest_ip | rename dest_ip as src_ip | table nt_host src_ip] | stats list(src_ip) as "IP Addresses" list(nt_host) as "Host Names" by user,Attempts,IPs
... View more