index="$idx$" sourcetype="$st$" (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4648 OR EventCode=4624 OR EventCode=4774) Logon_Type=* earliest=-48h|eval Account_Name=if(isnull(Account_Name),User,Account_Name)|eval Account_Name=mvindex(Account_Name,1)|search NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON" OR Account_Name="SYSTEM" OR Account_Name="LOCAL SERVICE" OR Account_Name="NETWORK SERVICE" OR Account_Name="-")|timechart span=1d dc(ComputerName) AS server_count,dc(Account_Name) AS user_count,count AS logon_count index="$idx$" sourcetype="$st$" (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4648 OR EventCode=4624 OR EventCode=4774) Logon_Type=*|eval Account_Name=if(isnull(Account_Name),User,Account_Name)|eval Account_Name=mvindex(Account_Name,1)|search NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON" OR Account_Name="SYSTEM" OR Account_Name="LOCAL SERVICE" OR Account_Name="NETWORK SERVICE" OR Account_Name="-")|eval login_method=Logon_Type|replace 0 with "System Only",2 with "Interactive Logon",3 with "Network",4 with "Batch",5 with "Service",6 with "Proxy logon",7 with "Unlock",8 with "Network Clear Text",9 with "New Credentials",10 with "Remote Interactive",11 with "Cached Interactive",12 with "CachedRemoteInteractive",13 with "CachedUnlock" in login_method|timechart span=1d count by login_method|addtotals $field1.earliest$ $field1.latest$ index="$idx$" sourcetype="$st$" (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4648 OR EventCode=4624 OR EventCode=4774) Logon_Type=*|eval Account_Name=if(isnull(Account_Name),User,Account_Name)|eval Account_Name=mvindex(Account_Name,1)|search NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON" OR Account_Name="SYSTEM" OR Account_Name="LOCAL SERVICE" OR Account_Name="NETWORK SERVICE" OR Account_Name="-")|stats count by Account_Name,ComputerName,Source_Network_Address|search NOT (Source_Network_Address="-") $field1.earliest$ $field1.latest$ User Logon Metrics / Trends

Select The Index All * index index | eventcount summarize=false index=* | dedup index | fields index Select Sourcetype WinEventLog:Security WinEventLog:Security sourcetype sourcetype |metadata type=sourcetypes|table sourcetype|search NOT sourcetype="WinEventLog:Security" Date -30d@d now

|table _time server_count |timechart span=1d sum(server_count) AS count none value block 0 1 1 standard absolute after 1 1 ["0x6db7c6","0xf7bc38"] [15000] Day-Day Trend |table _time user_count |timechart span=1d sum(user_count) AS count none value block 0 1 1 standard absolute after 1 1 ["0x6db7c6","0xf7bc38"] [15000] Day-Day Trend |table _time logon_count |timechart span=1d sum(logon_count) AS count none value block 0 1 1 standard absolute before 1 1 ["0x6db7c6","0xf7bc38"] [15000] Day-Day Trend |fields _time Total column ellipsisNone 0 collapsed visible visible linear linear 0 inherit 50 10 area gaps all 0.01 stacked shiny all 0 0 ellipsisMiddle right |fields _time "System Only","Interactive Logon",Unlock,"Remote Interactive","Cached Interactive","CachedRemoteInteractive" ellipsisNone 0 collapsed visible visible linear linear 0 inherit column 50 10 area gaps all 0.01 stacked shiny all 0 0 ellipsisMiddle right |fields - Total "System Only","Interactive Logon",Unlock,"Remote Interactive","Cached Interactive","CachedRemoteInteractive" column ellipsisNone 0 collapsed visible visible linear linear 0 inherit 50 10 area gaps none 0.01 stacked shiny all 0 0 ellipsisMiddle right |stats sum(count) AS count by Account_Name|sort - count |head 5 bar |stats sum(count) AS count by ComputerName|sort - count |head 5 ellipsisNone 0 visible visible visible linear linear 0 inherit pie 50 10 area gaps none 0 default shiny all 0 0 ellipsisMiddle right |stats sum(count) AS count by Source_Network_Address|sort - count |head 5 bar