Solved: How to monitor admin users logged on/authenticated...

lakshman239 · ‎09-05-2016

I am trying to create an alert to track admin users logged on to windows servers, but not performing any activities even after 30mins of logging in/authentication.

index=main (eventtype=logon_activity OR eventtype=wineventlog_security OR eventtype=wineventlog_system)

In windows logs, I can use Logon_id to track sessions, but need to find out the age/delta time which is more than 30mins.

Any suggestions/thoughts? Thanks in advance.

sundareshr · ‎09-05-2016

Try this

base search | reverse | streamstats window=1 current=f latest(_time) as next_activity by user | eval next_activity=coalesce(next_activity, now()) | eval gap=next_activity-_time | where gap>1800

View solution in original post

sundareshr · ‎09-05-2016

Try this

base search | reverse | streamstats window=1 current=f latest(_time) as next_activity by user | eval next_activity=coalesce(next_activity, now()) | eval gap=next_activity-_time | where gap>1800

lakshman239 · ‎09-07-2016

I have a slightly different problem now.. trying to find no session activities in unix/linux using /var/log/secure and nix add-on. I have tried a few options using stats/eventstats/streamstats, but running into issue, as i don't have a common field...

https://answers.splunk.com/answers/448591/statseventstats-how-to-track-open-session-when-clo.html

lakshman239 · ‎09-06-2016

Thanks Sundaresh. That helps

How to monitor admin users logged on/authenticated but no session activities for 30mins

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials