All Apps and Add-ons

Users logging windows on two machines at the same time


I'm trying to find out which users are logging on two machines at the same time (sharing login)

I already know some log fields and started to make a sketch, but I think I'm on the wrong track ...

host=ADServer sourcetype="WinEventLog:Security" NOT User=*$ EventCode=540 OR EventCode=538 | transaction startswith=EventCode="540" endswith=EventCode="538" | eval duration=tostring(duration,"duration") | table _time user duration name EventCode ComputerName Source_Network_Address

What I would do was to show just who logged in more than two machines. Could someone help me

0 Karma


Hello, jcoates_splunk

I managed to create the report using this search

sourcetype="WinEventLog:Security" OR (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user

| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users


If the user logged off from the host before login on the other? On this case you'll alert the both, or not?

0 Karma


Sergei - you are missing a close quote " after values(src_ip) as "Logins IPs.
It should read:
values(src_ip) as "Logins IPs", ...

0 Karma

Splunk Employee
Splunk Employee

hi, since the data is tagged for CIM, it should be easier to use tags and eventtypes:
tag=authentication eventtype="windows_logon*" | eventstats count(dest) as dest_count by user | timechart max(dest_count) by user

If you have the CIM installed I also got good results with Search->Pivot -> Authentication -> Successful Authentication. I added a filter for Sourcetype starts with win*, split the row by user, and the column by dest to get a table. Or use the scatter plot to map distinct counts of users and dests.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...