Monitoring Splunk

How can I use windows events to monitor logon sessions

splunk_ny
Engager

I see in my security event log that there is a logon and logoff event. I would like to use this data to track total session logon time in Splunk?

Tags (1)
0 Karma
1 Solution

bschaefer
Splunk Employee
Splunk Employee

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName

View solution in original post

smudge797
Path Finder

Is there a way to have the output the table:
date, user, Duration, ComputerName
day1 user1 10 comp1.com
day2 user1 17 comp1.com
day3 user1 5 comp1.com
day1 user2 17 comp2.com
day2 user2 11 comp2.com
day3 user2 13 comp2.com
...

GoneSplunking
Explorer

index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| bucket _time span=day
| stats sum(duration) by _time user host
| rename duration AS "Duration (seconds)"

0 Karma

bschaefer
Splunk Employee
Splunk Employee

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...