So here's the issue... We have an RDS Farm that users login to and from there they RDP to other servers. Right now I have a search that creates a table and shows the users that are logging in with non-domain accounts/service accounts from the jump servers(RDS Farm) to the other servers -
index="wineventlog" source="WinEventLog:Security" EventCode=4624 Process_Name="*winlogon*" NOT (user=Example_AdminAccounts) NOT (Account_Domain=Example_Domains)
| table _time, dst_nt_domain, user, ComputerName, src_ip
| convert timeformat=" %A, %h-%d %Y %H:%M:%S%P" ctime(_time)
| rename user as "User", ComputerName as "FQDN", src_ip as "Source IP", name as "Description", dst_nt_domain as "Domain", _time as "Date and Time"
This search works properly, however I am trying to create a subsearch that would give me the following:
If a user field includes
then search the
hosts=RDS Jump Server Farm within
I'm not sure if this is possible or if there's a better method to go about this but hopefully some of you experts can lend a hand.
Any help would be greatly appreciated.
Thanks!