EventCode=4624 Account_Name=“-” Account_Name=“-” Account_Name=aparsa | sort - max_login_attempts | stats max(count) as max_login_attempts by Account_Name
Yeah, found additional information but stuck for a long time due to this answer format.
service/protocol → only answer the service without protocol and with capital letter
HTB should added an answer format hint on this question
@Mankpiece I would like guidance yeah, I think I’m very close but still something’ sunclear as to where I should look for. I feel like I tried everything already, been three days on it lol
EDIT: I literally just found the answer approx 2min30sec after writing this and 3 days of grind…
Use this, you will see the username with the highest number of attempts. That’s your answer
index=“main” sourcetype=“WinEventLog:Security” EventCode=4624
| stats earliest(_time) as first_login latest(_time) as last_login count as total_attempts by Account_Name
| eval duration = last_login - first_login
| where duration <= 600
| sort -total_attempts
For question 3 “all 4624 events the account name that made the most login attempts within a span of 10 minutes.”:
sourcetype=“WinEventLog:Security” EventCode=“4624”
| stats earliest(_time) as first_login latest(_time) as last_login count by Account_Name
| eval duration=last_login - first_login
| where duration <= 600
| sort - count
| head 1