Detecting Account sharing with winlogbeat

Raj_Kumar · October 3, 2018, 9:36am

Hi There,

Am trying to write a query for detecting the account shares among the users .I dont know how to execute it.

I have field called event_data.TargetUserName and event_data.IpAddress, i would like to search for query some thing like

At 10:00am > [ event_data.TargetUserName = abc , event_data.IpAddress=10.0.0.1 ]
At 10.05am > [ event_data.TargetUserName = abc , event_data.IpAddress=10.0.0.5 ]

there is possiblity of user having multiple machines but still could be useful to track .May be ip in different subnets reflecting in different location

Thanks,
Raj

system · October 31, 2018, 9:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Monitor Windows Logons win Winlogbeat Beats winlogbeat	2	362	June 25, 2020
Elasticsearch filter plugin and winlogbeat Logstash	2	207	June 25, 2021
Winlogbeat event id missing Beats winlogbeat	5	510	January 17, 2022
Config check, filtering out users Beats winlogbeat	2	352	August 26, 2021
Reporting Windows Security Events in Kibana Beats winlogbeat	4	5386	April 12, 2016

Detecting Account sharing with winlogbeat

Related topics