Volver al hub

User Logoff Activity

Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.

EDRmonitoringT1078
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

#event_simpleName=UserLogoff
| groupBy([UserName, name, aid, aip, ComputerName, event_platform, LocalIP, LogonDomain, LogonServer, LogonType], function=[count(@timestamp), selectLast([@timestamp])])
| table([@timestamp, UserName, ComputerName, aid, aip, event_platform, LocalIP, LogonDomain, LogonType], limit=20000)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.