Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Either create a new visualization or edit the “Failed logon attempts [Admin users only]” visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword “admin” anywhere within it. What should you specify after user.name: in the KQL query?
I’ve been struggling for days with the answer to this question and I can’t find it. Does anyone know the answer?
in the steps, you has given, that select discover option from navigation toggle, set calendar, change index from zeek to window, then do kql search query mentioned in the section in comparison operator, 1 search will appear, expand it, come below to message area where account name is present, Hint: account name starts form a