Carbon Black Cloud flags suspicious audit logs, such as when failed logins come from previously unused IP addresses and if an account is locked due to too many failed login attempts.
eventtype="vmware_cbc_auditlogs" flagged=true | iplocation src | eval location = case(Region = "", Country, City = "", Region + ", " + Country, 1=1, City + ", " + Region + ", " + Country) | table _time, user, src, location, description | sort -_time
