I am trying to create an alert to track admin users logged on to windows servers, but not performing any activities even after 30mins of logging in/authentication.
index=main (eventtype=logonactivity OR eventtype=wineventlogsecurity OR eventtype=wineventlog_system)
In windows logs, I can use Logon_id to track sessions, but need to find out the age/delta time which is more than 30mins.
Any suggestions/thoughts? Thanks in advance.
base search | reverse | streamstats window=1 current=f latest(_time) as next_activity by user | eval next_activity=coalesce(next_activity, now()) | eval gap=next_activity-_time | where gap>1800
I have a slightly different problem now.. trying to find no session activities in unix/linux using /var/log/secure and nix add-on. I have tried a few options using stats/eventstats/streamstats, but running into issue, as i don't have a common field...