Hello, Thank you so much. The event IDs listed are all regarding changes to the system. This report would be the "report that shows Changes to System Sec Config events". Regarding all logs, we have identified the specific ones. I am running the query you suggested but it's not giving any results. No error messages. Thanks again! 🙂 index=foo eventid IN (4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4740, 4754, 4755, 4756, 4757, 4758, 4759, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4791, 631) | fields user, action, subject, ProcessName | stats min(_time) as FirstEvent max(_time) as LastEvent count by user, _time, action, subject, ProcessName AND NOT User IN (list_of_users ) AND User_Impacted != (AD_Group) | where NOT (match(Host_Impacted, "sc") OR match(Host_Impacted, "sd") OR match(Host_Impacted, "^sc.+") OR match(Host_Impacted, "^sd.+")) | table User, _time, EventID, Group, Host, Host_Impacted, Login, VendorMsgID, Domain Impacted) | stats values(*) as * by User
... View more