index IN ($your.windows.index$) sourcetype=WinEventLog EventCode=4625 OR EventCode=4740
| eval lockout_user=if((EventCode="4740"),user,0),failed_user=if((EventCode="4625"),user,0)
| timechart span=1h dc(lockout_user) as lockout, dc(failed_user) as failure
🌐 GlobalProtect
GlobalProtect Sign-in Logs
index=palo sourcetype=pan:globalprotect status=* src_user=$user$ src_ip=$IP$
| lookup asn_db range as src_ip OUTPUT asn, company
| iplocation src_ip
| fillnull value=null machine_name
| rex field=src_user mode=sed "$your.regex.expression.here$"
| stats values(company) as company, values(Country) as Country, values(stage) as stage, count(eval(status="success")) as success, count(eval(status="failure")) as failure, values(client_os_ver) as os_version, values(client_ver) as client_ver count by src_user, src_ip, machine_name, _time
| table _time, src_user, src_ip, company, Country, machine_name, stage, success, failure, os_version, client_ver
| search $company$