SIEM Search Expression Challenge Exercise

PrimitiveRaccoon2400 · May 9, 2025, 5:13am

Help..???
Which command may i use to find out three accounts? data.win.system.eventID:4624 and data.win.eventdata.targetUserName:administrator/SYSTEM/cybrary…?
no good result even with more boolen(not)

JosephWhite · May 9, 2025, 5:12pm

Remember you are looking for logon failures, so not Event ID 4624.