I've been struggling for days with the answer to this question and I can't find it. Does anyone know the answer?

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Either create a new visualization or edit the “Failed logon attempts [Admin users only]” visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword “admin” anywhere within it. What should you specify after user.name: in the KQL query?


I’ve been struggling for days with the answer to this question and I can’t find it. Does anyone know the answer?

I am doing this now. Have you found any documentation that you can share that points to the answer?

LOL - found answer out just now. [asterik]admin[asterik]

[asterik]admin[asterik]

Thanks!

1 Like