Monitoring Splunk

How can I use windows events to monitor logon sessions

splunk_ny
Engager

I see in my security event log that there is a logon and logoff event. I would like to use this data to track total session logon time in Splunk?

Tags (1)
0 Karma
1 Solution

bschaefer
Splunk Employee
Splunk Employee

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName

View solution in original post

smudge797
Path Finder

Is there a way to have the output the table:
date, user, Duration, ComputerName
day1 user1 10 comp1.com
day2 user1 17 comp1.com
day3 user1 5 comp1.com
day1 user2 17 comp2.com
day2 user2 11 comp2.com
day3 user2 13 comp2.com
...

GoneSplunking
Explorer

index=* host=* sourcetype="WinEventLog:Security" EventCode="4624" OR EventCode=4634
| transaction user maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| eval Logontime=if(EventCode="4624",_time,null())
| eval Logofftime=Logontime+duration
| convert ctime(Logontime) as Logontime
| convert ctime(Logofftime) as Logofftime
| bucket _time span=day
| stats sum(duration) by _time user host
| rename duration AS "Duration (seconds)"

0 Karma

bschaefer
Splunk Employee
Splunk Employee

There are a few reasons why tracking session logon time in this manner is not accurate. For one, users typically don't physically log out, they lock their workstation, or allow the screen saver to lock it (which doesn't actually lock the workstation until someone wakes the computer back up). Also, someone trying to evade time detection can just hit the power button on the machine, assuming they have physical access to the box.

That being said, the following search should get you started in the right direction:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...