How to trigger an alert when a user account connects internally to VPN and to a workstation in a domain network within 5 minutes?

New Member

Hi all,
How can an alert be triggered when a user account is used to connect to vpn from Internal and then used to log on to a workstation in domain network within a close time range? (ie: in 5 mins range)
Suppose that check point logs and windows security logs have been collected.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Search all the events, then use a transaction per user to find those events over a particular time span, and add conditions to trigger alert.

conditions_vpn_events OR condition_login_events | transaction user maxpause=5min startswith="vpn login" endswith="workstation logon", 1. First, find the events :

Or group by the timestamp | bucket _time span=5m then count them per user
Finally decide what should be the conditions to trigger alert | where mycondition=true
Test the search

Then you can make this a search a scheduled search with alerting, if you did the conditions well to return only alert events, setup an alert condition like : number of results >0

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...