Thank you @diogofgm this worked! ... View more

Thanks @snallam123 !! ... View more

If I run these two searches, the Statistics totals are 29 and 28 - only off by one (which makes sense because I excluded only one machine). Therefore that seems to add up correctly. Not sure why my original search only showed 5 systems. index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator | table src_nt_host | dedup src_nt_host index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator src_nt_host!=machineA | table src_nt_host | dedup src_nt_host ... View more

First search (no exclusions) = 450,073 Second search (with the machineA exclusion) = 79,947 ... View more

Hello TISKAR. I tried it but it made no difference... ... View more

Also, how can I tell the search to only run within a specific timeframe, lets say between only 8am - 5pm? ... View more

One more question, how can I exclude a larger time range? It seems that this works great for excluding within the same hour, but for instance if try to exclude between 00 and 04 it does not work properly. Example below: index=*-windows-logs EventCode=7036 Message="Service Entered A Running State" | sort - _time | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour > 00 AND myMinute >00 ) AND (myHour <04 AND myMinute < 00) ) | table _time, ComputerName, Message ... View more

That seems to have done it! Thanks! ... View more

Nice - how do I find the savedsearch_id? ... View more

I like this however its not showing all fired alerts. I selected "All" for App, Owner, Severity, and Alert. I noticed that under the alert drop down there are only 10 alerts listed. I have built a lot more than 10. Permissions issue possibly? ... View more

You rock that worked too! ... View more

@martynoconnor If I wanted to build a similar search - except this time I want to alert off a certain username trying to log on to multiple computers how would I do that? Let's say the usernames I am interested in are Administrator and Root... ... View more

Actually I had a typo in my index. I think your recommendation will get me going in the right direction. I am going to keep testing with it though. Thanks!! ... View more

Hello Marty. A couple of things I found when doing a test vulnerability scan which would mimic the type of behavior I want to alert on (a single IP scanning multiple IPs). I found the the remote systems attempting to be accessed show up under the field name "dest" and that the source ip of the scanner attempting to connect is under the field name "Source_Network_Address". I modified your sytax below - does it look right because I am getting zero results? index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23" | stats dc(dest) AS dest by Source_Network_Address | where dest > 20 ... View more

Hello @bowesmana. I will re-phrase what I am trying to accomplish so it may be easier to understand. I want to build an alert for when the total amount of logins for a specific user (let's say administrator) within X amount of time (let's say 10 minutes) exceeds a certain threshold (let's say greater than 9 times). In the results I want to be able to see all fields for each event that I specify. ... View more

@to4kawa - I tested this out and it appears to work! However it is very difficult to read. I had table, sort, and rename syntax in before (that I didn't provide in the searches I previously gave you) can this be added to make everything easier to read? See below for my original searches including the table, sort, and rename syntax that was missing.... 1: source=WinRegistry key_path="HKLM\sam" OR key_path="HKLM\security" OR registry_key_name=sam OR registry_key_name=security user=svchost.exe | sort -_time | table _time, host, user, process_image, registry_path, registry_key_name, registry_type | rename registry_path AS "Registry Path" registry_key_name AS "Registry Key Name" registry_type AS "Registry Type" host AS "Host" user AS "User" process_image AS "Process Image" 2: host=$host$ EventCode=4672 Account_Name!="dmon40" Account_Name!="dmon45" | sort -_time | table _time, Account_Name, Account_Domain, Security_ID, subject 3: host=$host$ EventCode=4624 Logon_Type=3 Authentication_Package!=Kerberos |sort -_time | table _time, src user host, ,EventCode,Logon_Type,Authentication_Package,Logon_Process,signature | rename src AS "IP Source" host AS "Destination Machine" user AS "Account used in Source" ... View more

Ok I will test this out! ... View more