All Apps and Add-ons

(Windows) How to find users logged in over night?

boeing_smithbj
Explorer

Hi there,

What I am trying to figure out is how I can search a Windows domain (Security logs?) to find out what users were logged in over night.

Currently installed: Splunk for ActiveDirectory, SA-ldapsearch, sideview utils, TA Windows and Universal Forwarders on our domain controllers/dns servers.

I thought I might be able to get this information out of the Splunk App. for Active Directory by default using the "User Utilization" pull-down, but I believe what that is showing me is users who logged in AT a certain time, not users who were logged in from x-time to y-time.

An example would be -

Come in tomorrow morning and run a search on last night's logs to see if anyone was logged in from say 8 PM to 4 AM.

Any ideas? Thanks!

0 Karma
1 Solution

lukejadamec
Super Champion

You will not need any fancy apps for this search. A simple search will do.

This should get you started.

earliest=-12h@m latest=now() Index=main sourcetype=winevent:security EventCode=528 OR EventCode=540 OR EventCode=4624 | table _time,Account_Name

Save the search, schedule it to run at 6AM everyday, and have it send you an email with the results.

View solution in original post

0 Karma

lukejadamec
Super Champion

You will not need any fancy apps for this search. A simple search will do.

This should get you started.

earliest=-12h@m latest=now() Index=main sourcetype=winevent:security EventCode=528 OR EventCode=540 OR EventCode=4624 | table _time,Account_Name

Save the search, schedule it to run at 6AM everyday, and have it send you an email with the results.

0 Karma

lukejadamec
Super Champion

The event codes are logon event codes, so they are recording logon events. There are types of logons for the various ways a user can 'logon' to a machine (interactive, network, service, etc... 9 total). You may be interested in only a few of those.
Finding users who are currently logged on is a tricky problem in Windows. See this answer for more details: http://answers.splunk.com/answers/43122/determine-users-on-the-same-server-within-a-time-window
I don't really like the solution they came up with, so I think you might want to create a new question for that.

0 Karma

boeing_smithbj
Explorer

Thanks for the quick reply, it worked for me! I added some NOT operators to get rid of machine accounts and anonymous stuff.

I'll have to work on the output a little bit to make it cleaner, i.e.: giving me a total count for each Account_Name so I don't see each one multiple times.

Also, I'm still not sure - this is showing me users who LOGGED IN during that specific time, right? What about users who LOGGED IN BEFORE and stayed logged in throughout the night? I'm guessing that I need to better understand how my Windows logs could be inspected to see logins without a corresponding logout...

0 Karma

lukejadamec
Super Champion

Let me know if you have any problems. There are a billion things you can do with simple searches.

boeing_smithbj
Explorer

Great thanks, I figured a search would do it, I'm just a noob to this whole thing. Looking forward to giving this a go. Thanks

0 Karma

boeing_smithbj
Explorer

Not at work so I can't verify, but I believe we are using the default index setup with the Active Directory App. which is the "main" index, for WinEventLog-Security in eventtypes.conf.

All the other AD related stuff I think goes into the "msad" index.

As far as event id associated with log on, I believe it is 4624 or 4648.

0 Karma

bmacias84
Champion

what index are you storing your DC Security Event Logs? Also do you know what the event id associated with the a log on event is?

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...