topic Re: Tracking Session Open/Closed in Splunk Enterprise Security

Tracking Session Open/Closed

Hegemon76 — Wed, 04 Apr 2018 18:14:35 GMT

Hello,

How could I track if a session is opened but not closed immediately and by track I mean implementing a rule to alert for a session longer than a second?

Apparently I don't have enough points to post the logs associated with this in a picture :(.

4/3/18 Apr 3 09:00:00 nwknjrhca1 sshd[31059]: pam_unix(sshd:session): session opened for user "x" by (uid=0)

Then there is a correspond event for the session being closed at the exact same time.

4/3/18 Apr 3 09:00:00 nwknjhca1 sshd[30997]: pam_unix(sshd:session): session closed for user "x"

Any help would be greatly appreciated!

Thanks!

Re: Tracking Session Open/Closed

Hegemon76 — Wed, 04 Apr 2018 18:56:47 GMT

index=main sourcetype=linux_secure user="x" | transaction pid startswith="session opened" endswith="session closed"| table _time user duration

So if I can somehow get this to show duration of greater than 2 seconds and report on that.....would be perfect.....

Re: Tracking Session Open/Closed

elliotproebstel — Wed, 04 Apr 2018 19:02:24 GMT

Create an alert, and use this search:

index=main sourcetype=linux_secure user="x" 
| transaction pid startswith="session opened" endswith="session closed"
| where duration>2
| table _time user duration

Set it to trigger a notification if the number of events is greater than 0.

Re: Tracking Session Open/Closed

Hegemon76 — Wed, 04 Apr 2018 19:16:59 GMT

My goodness I knew it would be easy....

Sigh