Getting Data In

Has anyone tried monitoring and searching interactive Windows Active Directory logon events?

Path Finder

Hi. Splunk makes it pretty easy to identify logon/logoff events. However, what I'm really interested in right now are interactive events -- ie. someone who is logging directly into a system using the console or RDP, rather than logon events that are initiated by a service starting or someone unlocking their system. Has anyone tried this before?

Thanks.

Legend

Hi jhillenburg,
You could use the Logon_Type field:

  • 2,Interactive Access 3,Network Access
  • 4,Script Access 5,Servirce Access
  • 7,Interactive Accessfrom Blocked Console
  • 10,Terminal Services Access
  • 11,Interactive Access with cached credentials

Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.

Bye.
Giuseppe

0 Karma

Path Finder

I'm looking for a solution of this as well. Seems app for windows infra doesn't provide this.
Seems we can archive it by PowerShell.
I haven't started yet, just begin with thought exchange. What do you think?

https://gallery.technet.microsoft.com/scriptcenter/Get-LoggedOnUser-Gathers-7cbe93ea

0 Karma