Forum Discussion
Difference between computer and workstation in sentinel
Can someone help me with the query. We have started working on sentinel as our primary SIEM tool. We get few login failure alerts. When investigating the event details of the alert, i see that there is computer and workstationname column. Can someone help me understand the difference between them.
1 Reply
- Is this the alert "Excessive Windows logon failures" which uses the SecurityEvent data?
https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/securityevent
I'm pretty sure WorkstationName is the Network remote logon request origin https://social.msdn.microsoft.com/Forums/en-US/ec183e80-2388-4582-87d0-47b34bc707ad/how-to-write-windows-security-event-log-using-authzreportsecurityevent-like-system-audit-log
