Getting Data In

track all active session (RDP) in network by user

givehchin
Path Finder

hello, I want to track all active session(RDP) in the network and see who login which server, what is the source IP address, and the sum of minutes of the active session
I use this code found in this forum with some tune but it doesn't cover all that I need, it is necessary I know how much time is session active
sry if my English not fluent

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success NOT | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))    | eval User=lower(User) | search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1   | stats  sum(duration) As Duration by User, ComputerName, Source_Network_Address   | eval  Duration(M)=round((Duration/60), 0)    | table  User,Source_Network_Address,Duration(M),ComputerName
0 Karma

solarboyz1
Builder

it is necessary I know how much time is session active

From the search you attached:

| eval  Duration(M)=round((Duration/60), 0)    
| table  User,Source_Network_Address,Duration(M),ComputerName

The Duration here is being is the time between the login and logoff events associated with the session.
Although I believe there may be an issues:

| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1   

If a user RDPs to multiple system,s, those session could be incorrectly connected as a transaction since you are only using the username as the criteria. I would change that to:

| transaction User, ComputerName maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1   
0 Karma

givehchin
Path Finder

thank you, it is useful
if I want to track active session too, what should do??? I mean the user does not log off cause we want to monitor users behavior

0 Karma

solarboyz1
Builder

you would keep evicted (incomplete transactions) and find the incomplete ones with the start event

| transaction User, ComputerName  startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 maxevents=2  keepevicted=true 
| search for closed_txn=0 AND EventCode=4624

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Transaction

0 Karma

givehchin
Path Finder

do your self test this????

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What problem do you see with current search results? How many events does your search is processing (or could process)?

0 Karma

givehchin
Path Finder

I want to see active session, this search show session that disconnect and the user doesn't active anymore, I need to see active session

0 Karma

givehchin
Path Finder

no one can help me?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...