Getting Data In

Has anyone tried monitoring and searching interactive Windows Active Directory logon events?

jhillenburg
Path Finder

Hi. Splunk makes it pretty easy to identify logon/logoff events. However, what I'm really interested in right now are interactive events -- ie. someone who is logging directly into a system using the console or RDP, rather than logon events that are initiated by a service starting or someone unlocking their system. Has anyone tried this before?

Thanks.

gcusello
SplunkTrust
SplunkTrust

Hi jhillenburg,
You could use the Logon_Type field:

  • 2,Interactive Access 3,Network Access
  • 4,Script Access 5,Servirce Access
  • 7,Interactive Accessfrom Blocked Console
  • 10,Terminal Services Access
  • 11,Interactive Access with cached credentials

Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.

Bye.
Giuseppe

0 Karma

hochit
Path Finder

I'm looking for a solution of this as well. Seems app for windows infra doesn't provide this.
Seems we can archive it by PowerShell.
I haven't started yet, just begin with thought exchange. What do you think?

https://gallery.technet.microsoft.com/scriptcenter/Get-LoggedOnUser-Gathers-7cbe93ea

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...