search when windows users login and logout by host

Path Finder

I try to build some complex search.
We try to build correlated search, which user ran the application and on what host. We using paloalto log to find apps and src_ip, Windows Security logs to find User and src_ip and DHCP Logs to find hostname on src_ip
We have recieved event from PALO ALTO firewall.
_time src_ip apps
We have recieved event from wineventlog:Security, what user was logged on to the machine with SAME ip
We have collect DHCP Logs to find Hostname by ip-address.

My search:

sourcetype=pan_traffic | join src_ip type=outer [search index=wineventlog EventCode=4624 | dedup user | join dest [search sourcetype=DhcpSrvLog signature="DNS dynamic update successful"] | rename dest AS dest_name | rename dest_ip AS src_ip] | table generated_time,log_subtype,src_ip,application,dest_name,user

This search not correct, because it search last login user on the host.

I think, we must to compare "generated_time" with user login time. So we must to find intervals, when user login by host. I think we must to use transaction. So search:

sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 action=success | dedup _time | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) |eval User=lower(User)| search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 | eval timeend=_time+duration | convert timeformat="%y-%m-%d %H:%M:%S" ctime(timeend) AS logoff_time | table User,_time,logoff_time

But how how to find online users?? And by host??

So, how to find intervals, when user online (and find current ONLINE users) and build table: generated_time,log_subtype,src_ip,application,dest_name,user


P.S. sorry for my English

Tags (2)
0 Karma


You can install "PAN-OS Integrated User-ID Agent" it will allow you to do Map IP Addresses to Users

0 Karma

Path Finder

The customer wants to see the advantages Splunk in processing the correlation of events.
So, we cannot install Agents...

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...