sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"
0 comments
sourcetype=osx_secure | rex field=_raw "authinternal\sfaile\sto\sauthenticate\suser\s(?<user>\S+)" | stats count by user, host | sort - count
0 comments
sourcetype=osx_secure | rex field=_raw "authinternal\sauthenticated\suser\s(?<user>\S+)" | stats count by user, host | sort - count
0 comments
sourcetype=linux_secure tag=authentication action=failure | stats count by user | sort - count
0 comments
sourcetype=linux_secure tag=authentication action=success | timechart count by src
0 comments
sourcetype=linux_secure tag=authentication action=success | stats values(user) as user, count by src
0 comments
sourcetype=linux_secure tag=authentication action=failure | stats values(user) as user, count by src
0 comments
index=_audit action="log*" | stats count as Attempts by user, info | rename info as "Outcome"
0 comments
index=_audit info=succeeded | timechart span=1d dc(user) as "Unique Users" count(user) as "Total Logins"
0 comments
index=_audit action="login attempt" info=failed | stats count as "Failed Attempts" by user | rename user as User
0 comments