Dashboards & Visualizations

Advises how to build a dashboard that shows the user activity on the windows data

Builder

Hi there my little friends.

I want to realize a use case that will show me a user online activity. For example, I have log in/log out data with timestamp.
How best to build a search logic?

First of all, I want to see a general picture of user online, to understand his behavior and then determine an anomaly (the user logged on to his workstation at a time other than business time)

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi test_qweqwe,
For login and logout, it isn't so easy on Windows (in Linux it's easier!) because each access to domain generates 10-12 login events (EventCode 4624) and more or less the same logout events (EventCode 4634).
This means that you have to correlate many events to understand the real login and logout.
You can easily know the logged in users creating a script that uses a Windows CLI command " query user " and using it in a scripted input.

About user's activity, you have to see in your Windows or applications logs which information you have: it depends on many factors (e.g. if you enabled file audit you can trace the accesses to files and folders, but it consumes Splunk license and Servers' resources).

In other words, you have to define exactly what you need (monitoring perimeter) and then see where to find (if you have) logs to do this, then you can think how to do this in Splunk (normally it's the easiest part of the work!).

I hope I didn't discourage you too much!
A useful help could arrive from the Splunk App for Windows infrastructure that gives information from Windows Servers, but it doesn't give you a user's activity monitoring.
In addition, I don't know your nationality and your regulations, but in Italy it's forbidden by the low monitoring users' activity (for privacy reasons)!

Ciao.
Giuseppe

View solution in original post

SplunkTrust
SplunkTrust

Hi test_qweqwe,
For login and logout, it isn't so easy on Windows (in Linux it's easier!) because each access to domain generates 10-12 login events (EventCode 4624) and more or less the same logout events (EventCode 4634).
This means that you have to correlate many events to understand the real login and logout.
You can easily know the logged in users creating a script that uses a Windows CLI command " query user " and using it in a scripted input.

About user's activity, you have to see in your Windows or applications logs which information you have: it depends on many factors (e.g. if you enabled file audit you can trace the accesses to files and folders, but it consumes Splunk license and Servers' resources).

In other words, you have to define exactly what you need (monitoring perimeter) and then see where to find (if you have) logs to do this, then you can think how to do this in Splunk (normally it's the easiest part of the work!).

I hope I didn't discourage you too much!
A useful help could arrive from the Splunk App for Windows infrastructure that gives information from Windows Servers, but it doesn't give you a user's activity monitoring.
In addition, I don't know your nationality and your regulations, but in Italy it's forbidden by the low monitoring users' activity (for privacy reasons)!

Ciao.
Giuseppe

View solution in original post

Builder

Yes, I have noticed that I have a lot of events, and it forced me to ask a question on the forum 😄
No, we don't have such regulations. It's allowed in my country and in the company (in case, if there's a suspicion that a person is causing damage to the company, an evil insider). But, I'm talk about his activity on the corporate resources, not his privacy life. If a person starts to break a policy, we need to do an investigation and collect statistic data (his activity). It's the same if you use your RFID-card to open the doors and your data: when you opened door, when you came to the work - all of this is stored in DB. And in the event of an incident where you were involved, this database is being reviewed (your activity being reviewed).
Or I'm talking about different cases and that's not what you meant by that?

0 Karma

SplunkTrust
SplunkTrust

Hi test_qweqwe,
in Italy it's different, it's possible to invetigate on a people's working activities only in policy investigations!

Anyway, you could correlate more events at first deduping events with the same user, host and timestamp; then you could use transaction command correlating events with the same user and host that starts with EventCode=4624, and ends with EventCode=4634,
Try something like this:

<your_search>
| dedup user host _time
| transaction user host startswith="EventCode=4624" endswith="EventCode=4634"
| ...

But you have to analize your results to check if you have to limit you transaction e.g. for a time period (e.g. maxspan=2h or a different value).

Ciao.
Giuseppe

0 Karma

Builder

Thanks for your Splunk search, I used it in my research!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!