topic Re: User Account Logged On For More Than 12 Hours in Splunk Search

User Account Logged On For More Than 12 Hours

websplunk01 — Thu, 13 Jan 2022 16:54:47 GMT

Hi ,
I am trying to figure out how to write a query to create an alert that will alert me whenever a user is logged on to the machine more than 12 hours .
Can you please help me figure this out . Thank you

Re: User Account Logged On For More Than 12 Hours

ITWhisperer — Thu, 13 Jan 2022 18:44:21 GMT

What events do you have available?

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Thu, 13 Jan 2022 19:11:12 GMT

Security , system and application

Re: User Account Logged On For More Than 12 Hours

ITWhisperer — Thu, 13 Jan 2022 19:26:44 GMT

Can you provide some sample events please?

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Thu, 13 Jan 2022 19:35:53 GMT

01/13/2022 02:12:37 PM LogName=Security EventCode=4624 EventType=0 ComputerName=GWD58EF SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=51488031 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: GWD58EF\admin Account Name: admin Account Domain: GWD58EF Logon ID: 0x1FF978045 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: XTHD09A Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Re: User Account Logged On For More Than 12 Hours

ITWhisperer — Thu, 13 Jan 2022 20:00:02 GMT

Can you split this up into separated events, perhaps putting each in a code block </>

Re: User Account Logged On For More Than 12 Hours

johnhuang — Fri, 14 Jan 2022 03:36:43 GMT

Having worked through a lot of challenges around calculating windows sessions, it is much complex than that you'll expect.

The sample event that you've provided indicate that the logon type = 3 which is logged when a user access a shared resource of the host remotely (e.g. mapped drive) -- should that be in scope? How about services running as a service account? More info about logon types: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

What is the size of your environment, number of users and host? What is your (screensaver) password inactivity lock policy?

Give me a better understanding of what you're trying to achieve.

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Fri, 14 Jan 2022 14:39:21 GMT

it would be something like : source=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10) , I dont need to log in the service user , at the moment I have 6 machines connected to splunk and I want an alert to be sent when a user is logged in more than 12 hours .

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Fri, 14 Jan 2022 14:50:33 GMT

01/14/2022 09:47:17 AM LogName=Security EventCode=4624 EventType=0 ComputerName=2R4EHQA SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=166686450 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: 2R4EHQA$ Account Domain: WGG25TJD3 Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: 2R4EHQA\admin Account Name: admin Account Domain: 2R4EHQA Logon ID: 0x10B4B3F587 Linked Logon ID: 0x10B4B3F54B Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x914 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: SV00001-2R4EHQA Source Network Address: 192.168.2.11 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0

this is a result of search query : source=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10)

Re: User Account Logged On For More Than 12 Hours

ITWhisperer — Fri, 14 Jan 2022 16:09:36 GMT

And which event tells you they have logged off or disconnected?

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Fri, 14 Jan 2022 16:15:28 GMT

thats the thing they didnt logoff , they are still connected . so now -12h

Re: User Account Logged On For More Than 12 Hours

ITWhisperer — Fri, 14 Jan 2022 16:56:07 GMT

But presumably you want to ignore those who have logged off? So, how do you find which those are?

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Fri, 14 Jan 2022 16:59:04 GMT

Not sure , I just started with splunk and have little knowledge . that s why I was asking for help .

Re: User Account Logged On For More Than 12 Hours

ITWhisperer — Fri, 14 Jan 2022 17:28:58 GMT

Finding things that don't exist is not one of Splunk's strong suits - Splunk is merely a tool to help you analyse your data - knowledge of your data is by far the most important thing to grasp. Having said that, in order to find what is missing, e.g. a log off event, you need to find the log on events and remove all the log on events which do have corresponding log off events, so that you are left with log on events which don't have log off events, bearing in mind that you might well have disconnect events in your data, which might effectively serve the same purpose as log off events (it depends what you have in your data!).

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Fri, 14 Jan 2022 17:37:22 GMT

thats the thing . there is no log off event , the user logs on and we can find out that by the query i shared . The question is how to calculate the time of logging +12 hours thats where I needed help . but I think I found some queries in https://gosplunk.com/ that will help me find out a way , thank you

Re: User Account Logged On For More Than 12 Hours

ITWhisperer — Fri, 14 Jan 2022 17:44:59 GMT

Try something like this

| eval plus12h=relative_time(_time,"+12h")

Re: User Account Logged On For More Than 12 Hours

websplunk01 — Fri, 14 Jan 2022 17:51:24 GMT

I will , Thank you

Re: User Account Logged On For More Than 12 Hours

isoutamo — Fri, 14 Jan 2022 18:30:47 GMT

I think that this is the hardest part of this case. Maybe this helps you https://superuser.com/questions/1614690/how-to-find-when-a-user-is-started-and-ended-a-session-on-computer-based-on-wind

r. Ismo

Re: User Account Logged On For More Than 12 Hours

johnhuang — Tue, 18 Jan 2022 20:23:16 GMT

Try this. Since your environment is small, it should work well -- there's a lot of different corner cases with large complex environments that makes things more complicated.

In addition to logon type 2, and 10, you should include 7 for unlocking a existing session, and 11 for local logins using cached credentials.

As for calculating when a session ends, this is the tricky part. You can look for EventCode 4657 (user initiated logoff), 4779 (terminal/rdp disconnect), and 4800 for locked screen.

To calculate active sessions with no logoff events, we will rely on orphaned transactions and use the current time to calculate session length.

source=WinEventLog:Security (EventCode=4647 OR EventCode=4779 OR EventCode=4800 OR (EventCode=4624 AND (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11))) earliest=-18h@h | eval event_type=CASE(EventCode=4624, "logon", EventCode=4779 OR EventCode=4800 OR EventCode=4647, "logoff") | eval user=LOWER(user) | dedup host user event_type | transaction host user keeporphans=1 unifyends=1 maxspan=24h maxopentxn=10000 startswith=(event_type=logon) endswith=(event_type=logoff) | eval current_status=IF(event_type="logoff", "inactive", "active") | eval duration_secs=IF(event_type="logoff", duration, now()-_time) | eval duration_hours=ROUND(duration_secs/3600, 2) | table _time duration_hours duration_secs host user EventCode Logon_Type event_type current_status | where duration_hours>12