SSRG023 - New Logon Type for User

[jward51]

I'm confused what the goal of this query is. During testing I kept getting a large amount of results for users but not for "new Logon types". I don't see where in the query it would track or calculate any comparison of logon types for a given user to be able to fire an alert on an anomalous logon. We should also filter out these type of users from the results by adding to the base query user!=*$

`windows_security` Logon_Type=*  Logon Type TaskCategory=Logon Audit Success 
| table _time user Logon_Type  
| `patronus_helper`

[cmutt78]

This came from ES, I agree confusing. removing it