All Apps and Add-ons
Highlighted

How to monitor admin users logged on/authenticated but no session activities for 30mins

SplunkTrust
SplunkTrust

I am trying to create an alert to track admin users logged on to windows servers, but not performing any activities even after 30mins of logging in/authentication.

index=main (eventtype=logonactivity OR eventtype=wineventlogsecurity OR eventtype=wineventlog_system)

In windows logs, I can use Logon_id to track sessions, but need to find out the age/delta time which is more than 30mins.

Any suggestions/thoughts? Thanks in advance.

0 Karma
Highlighted

Re: How to monitor admin users logged on/authenticated but no session activities for 30mins

Legend

Try this

base search | reverse | streamstats window=1 current=f latest(_time) as next_activity by user | eval next_activity=coalesce(next_activity, now()) | eval gap=next_activity-_time | where gap>1800

View solution in original post

0 Karma
Highlighted

Re: How to monitor admin users logged on/authenticated but no session activities for 30mins

SplunkTrust
SplunkTrust

Thanks Sundaresh. That helps

0 Karma
Highlighted

Re: How to monitor admin users logged on/authenticated but no session activities for 30mins

SplunkTrust
SplunkTrust

I have a slightly different problem now.. trying to find no session activities in unix/linux using /var/log/secure and nix add-on. I have tried a few options using stats/eventstats/streamstats, but running into issue, as i don't have a common field...

https://answers.splunk.com/answers/448591/statseventstats-how-to-track-open-session-when-clo.html

0 Karma