We have information from our Email Security Solution on the users that are most often targeted by email threats. We'd like to use this list of highly targeted users and identify the computers on which they work to validate the security posture of these machines. Rather than create a static group based upon the people we think are at high risk, we'd like to use the actual email threat information to dynamically update a list of high risk computers.
Has anyone done this? I think we could use the search token "lastloggedonuser", but am unclear as to how we should create this group of machines. Can we create an asset tag to group computers on which the targeted individuals were last logged on?