1. Logpoint Service Desk
  2. Community
  3. SIEM - Use Cases

Help-Query for user logged into multiple systems

Avatar
Follow
0

Hi,

I am looking for a query for finding ‘users logged into multiple machines’. Can someone please help me out.

Thanks in Advance,

KP

Share This Post:

1 comment

Date Votes
0
Avatar
Prajwal Basnet

Hi Kamal,

To retrieve the result of "users logged into multiple machines", you can execute the following query:

label=login  source_address=* | rename source_address as host_address | chart count() as Times by user, host_address, host

For a more visually appealing representation of the data in a Dashboard widget, it is recommended to select the Sankey visualization option.

If you wish to inspect the logs for a specific user logged into multiple machines, you can modify the query by adding the "user" field with the desired user value:

label=login user=Heisenberg source_address=* | rename source_address as host_address | chart count() as Times by user, host_address, host

This modified query will provide the result specifically for the user "Heisenberg" and their corresponding logins on different machines.

Kind Regards,

Prajwal

Please sign in to leave a comment.