I am looking for a way to capture events where a user did not check out credentials from CyberArk before using them to RDP, so a scenario would be that someone checked out some credentials for 12 hours, he used it, then uses it again after 12 hours without doing another checkout.
I have a search where I am using a transaction command to capture CyberArk checkout events and Windows login events and looking for incomplete transactions with closed_txn=0. I have a query built but it does not seem to be capturing the right events because the result that shows up which has the two logs combined (Cyberark checkout and windows login) don’t have the correct information, the account name that was checked out does not match the account name used to login via RDP.
(index=wineventlog AND sourcetype="WinEventLog:Security" AND (LogonType=3 OR LogonType=10 OR LogonType=11) AND [inputlookup xxx.csv | fields + AccountName ])
OR (index=main AND sourcetype="cyberark:epv:cef" AND "Retrieve password" AND (cn2="(Action: Show Password)" OR cn2="(Action: Copy Password)"))
| eval "Logon Behaviour"=case(LogonType==3,"Interactive",LogonType==10,"Remote Interactive",LogonType==11,"Cached Interactive")
| eval "Windows Account"=mvindex(AccountName,1)
| transaction startswith="Retrieve password" endswith="Logon Type" keepevicted=1 keeporphans=1
| search closedtxn=0
| bucket _time span=12h
| stats count by _time "Windows Account" action WorkstationName "Logon Behaviour"
| rename action as "Logon Result" Workstation_Name as "Workstation"
Below are a sample checkout event and a sample RDP event. I would appreciate any help in figuring this out or a better way to accomplish something like this.