All Apps and Add-ons

Users logging windows on two machines at the same time


I'm trying to find out which users are logging on two machines at the same time (sharing login)

I already know some log fields and started to make a sketch, but I think I'm on the wrong track ...

host=ADServer sourcetype="WinEventLog:Security" NOT User=*$ EventCode=540 OR EventCode=538 | transaction startswith=EventCode="540" endswith=EventCode="538" | eval duration=tostring(duration,"duration") | table _time user duration name EventCode ComputerName Source_Network_Address

What I would do was to show just who logged in more than two machines. Could someone help me

0 Karma


Hello, jcoates_splunk

I managed to create the report using this search

sourcetype="WinEventLog:Security" OR (EventCode=540 OR EventCode=4624) NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| stats dc(src_ip) as Number_logged_hosts, values(src_ip) as "Logins IPs, values(dvc) as "Domains Controller", count by user

| rename user as Users, count as Total_time_logged_in
| where Number_logged_hosts>1
| sort -Number_logged_hosts Users


If the user logged off from the host before login on the other? On this case you'll alert the both, or not?

0 Karma


Sergei - you are missing a close quote " after values(src_ip) as "Logins IPs.
It should read:
values(src_ip) as "Logins IPs", ...

0 Karma

Splunk Employee
Splunk Employee

hi, since the data is tagged for CIM, it should be easier to use tags and eventtypes:
tag=authentication eventtype="windows_logon*" | eventstats count(dest) as dest_count by user | timechart max(dest_count) by user

If you have the CIM installed I also got good results with Search->Pivot -> Authentication -> Successful Authentication. I added a filter for Sourcetype starts with win*, split the row by user, and the column by dest to get a table. Or use the scatter plot to map distinct counts of users and dests.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...