i’m new using Logpoint. So i need some help for a search i would like to do. I would like to add some more information to the search “Top 10 User in Failed Kerberis Authentication” there i would like to add on which workstation the user have tryed to logon.
You can modyfy your search with this query.
norm_id=WinServer label=Kerberos label=Authentication label=Fail -user=*$ user=* | process dns(source_address) as WORKSTATION | rename description as reason | chart count() by user,WORKSTATION, source_address, pre_authentication_type, reason order by count() desc limit 10
Thanks al lot
That was exactly what i was looking for.
No problem, have fune. :)
You can also find useful use cases in our “Knowledge base” section: