02-25-2025 12:52 PM
Hello,
I'm using a canned library query called "Successful Windows Logins" This is a great query but how can I modify it so that its only looking at specific hosts vs all hosts? I can't figure out how to edit this. Can anyone help?
02-25-2025 12:55 PM
Hi @JasonFerris, thanks for reaching us using the Live Community.
You can add this filter to get only your required logs.
| filter agent_hostname = "YOUR_HOSTNAME"
If this post answers your question, please mark it as the solution.
02-25-2025 01:42 PM
@jmazzeo Here is the query. Again this is a query in the query library already. I tried to add in a line above the 1st filter as another filter | filter agent_hostname = "hostname" but it did not return any results.
dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624 // Filtering by windows event log and id 4624
| alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:.*?(\d+)\r\n"),0), Domain = arrayindex(regextract(action_evtlog_message, "New Logon:\r\n.*\r\n.*\r\n.Account Domain:.*?(\w.*)\r\n"),0), Source_IP = arrayindex(regextract(action_evtlog_message, "Source Network Address:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0), Process_Name = arrayindex(regextract(action_evtlog_message, "Process Name:.*?(\w.*)\r\n"),0), Host_Name = arrayindex(regextract(action_evtlog_message, "Workstation Name:.*?(\w.*)\r\n"),0), User_Name = arrayindex(regextract(action_evtlog_message,"New Logon:\r\n.*\r\n.*?Account Name:.*?(\w.*?)\r\n"),0) // Using regextract to get just a part of the full event log message into an array, then using arrayindex to take the first item in the array
| fields User_Name, Host_Name, Domain, Logon_Type, Source_IP, Process_Name // Select all the fields to show them
02-26-2025 09:56 PM
Hello,
I just checked this in my lab, and found under Network Information, Workstation name is showing empty.
If you want to see the successful login, why don't you try simple query:
dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624 // Filtering by windows event log and id 4624
|filter agent_hostname = ""
02-27-2025 08:23 AM
@aspatil how do I separate each hostname within the ""? Also I need more details so is there a way to add this line to my original query somehow? or work this criteria into it?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
