...
| Code Block |
|---|
sourcetype="WinEventLog:Security" (EventCode="4771" AND Account_Name !=*$ AND Account_Name != - ) OR (EventCode="4776" AND Failure AND Logon_Account != *$) | fields + host + ComputerName + Logon_Account + Account_Name + Client_Address + Source_Workstationeval uid=coalesce(Logon_Account,Account_Name) | eval client = coalesce(Client_Address,Source_Workstation) | fields + uid + client + ComputerName |
This search explicitly removes local system accounts.
Note: 4776 events are logged with "Source Workstation" which is the computer machine name, not a remote IP address. To determine the remote IP address, you 'll may need to examine the IIS logs for the respective request.