Question

Add more Information to a Report

  • 6 December 2022
  • 4 replies
  • 63 views

Hi there,

i’m new using Logpoint. So i need some help for a search i would like to do. I would like to add some more information to the search “Top 10 User in Failed Kerberis Authentication” there i would like to add on which workstation the user have tryed to logon.


4 replies

Userlevel 2

You can modyfy your search with this query.

 

norm_id=WinServer label=Kerberos label=Authentication label=Fail -user=*$ user=* | process dns(source_address) as WORKSTATION  | rename description as reason | chart count() by user,WORKSTATION, source_address, pre_authentication_type, reason order by count() desc limit 10 

 

Regards Kai

Thanks al lot

That was exactly what i was looking for.

Carsten

Userlevel 2

No problem, have fune. :)

-Kai

Userlevel 1

Hello Carsten,

You can also find useful use cases in our “Knowledge base” section:
https://community.logpoint.com/knowledge-base

/Rasmus

Reply