sourcetype=linux_secure tag=authentication action=failure | stats values(user) as user, count by src
0 comments
sourcetype=linux_secure "su: " OR "sudo: " | eval Date=strftime(_time, "%Y/%m/%d") | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | regex _raw="\suser\sroot\sby" | rex "\suser\sroot\sby\s(?<user>\w+)" | stats count by user, host
0 comments
sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | rex "\suser\s(?<User>[^\s]+)\s" | search User="root" | stats count as "Root Activity Count" by hostname
0 comments
sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | top limit=10 hostname
0 comments
sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | stats dc(hostname) as "Unique Hosts"
0 comments
sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | stats count by hostname
0 comments
sourcetype=linux_secure NOT "invalid user" | rex "\suser\s(?<User>[^\s]+)\s" | top User showperc=f
0 comments
sourcetype=linux_secure NOT "invalid user" | rex "\suser\s(?<User>[^\s]+)\s" | statsdc(User) as "Unique Users"
0 comments
sourcetype=linux_secure NOT "invalid user"| rex "\suser\s(?<User>[^\s]+)\s" | stats count by User
0 comments
sourcetype=Unix:Uptime OR sourcetype=WMI:Uptime | dedup host | eval days=round(SystemUpTime/(60*60*24),2), weeks=round(days/7,2), months=round(days/30,2) | table host days weeks months SystemUpTime |sort - SystemUpTime | rename days as "Days Up", weeks as "Weeks Up" months as "Months Up", SystemUpTime as "Seconds Up"
0 comments