I can see a little more information is need:  I can finde the user who checks out the cyberark account .. "PAM-DomainAdmin*"  by this search ... It is the suser that is of interesset  index="cyberark" duser="PAM-DomainAdmin*" ("cn2=(Action: Connect)" OR command="Retrieve password") | rename cn2 as Why | table _time, user, suser, src, command, Why Finding the action created by the user has done as PAM-admin is done as: index=wineventlog source=wineventlog:security EventID IN (4756, 4728, 4732) src_user="PAM-DomainAdmin*"   ... View more

Hi @yuanliu  I do like your solution, but i do have a problem, since a lot of times when a user takes a administrative account, they do multible changes  see below.   Your soultion only gives me 2 matches, which is the first action for the the user created   Sorry to be a pain ....  ... View more

So what i would like to end up with is a table like: _time (first search), action, target_group, target_user, src_user, suser ... View more

Hi @yuanliu  Thank you for your response, and I do agree some clarifycation is needed:  The overall is the following: To identify the user behind, when someone has been using the shared administrative accounts (XXXXX01, etc)  to add or remove accounts from sensitive groups.  The work process is that a user, log on to our PAM solution as suser, they check out the admin user (duser), duser is then used to make changes to target_user/target_group. First challenge is, that the time from the check out of XXXXX01 in the PAM solution to the actual change of the account is not fixed, it can be anywhere from 1 minute to an hour. Second problem is that to different user can check out the same account, (one after the other, not at the same time)  I need src_user in the first search to match duser in second search. I need the time of the second search to be within the hour of the first search. ( I will accept that in rear cases this will give more than one suser account)     ... View more