01-09-2024 02:28 AM
I create found base on other topic on forum, the script is :
dataset = xdr_data | filter event_type = WINDOWS_EVENT_LOG AND action_evtlog_event_id = 4624 | alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:.*?(\d+)\r\n"),0), User_Name = arrayindex(regextract(action_evtlog_message,"New Logon:\r\n.*\r\n.*?Account Name:.*?(\w.*?)\r\n"),0), Source_IP = arrayindex(regextract(action_evtlog_message, "Source Network Address:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0), HOST_Name = arrayindex(regextract(action_evtlog_message, "Workstation Name:.*?(\w.*)\r\n"),0) | filter Logon_Type = "10" | fields agent_hostname, User_name, Logon_Type, Source_IP
