Splunk Enterprise Security

How to identity logoffs when there isn't always a logoff event

Explorer

I've been working on a problem that has me stumped.

I have a 4624 and 4633 event that I want to correspond with each other. The 4624 is used to identify logons while we are using 4663 (with a particular Object Name) as a way to signify logoffs. The problem is that there isn’t always a 4663 generated due to the user having to access an item.

What I’d like to do is Identify a 4663 event and then identify the most recent 4624 to tie them together.
The common thing that will be used to tie them together is the Account_Name field.

The closet thing I have working is below.

sourcetype = * ((Message=** AND Accesses= ReadAttributes) OR (Object_Name=)) | transaction Account_Name maxspan=12h | eval start = _time | eval End = _time + duration | eval StartTime=strftime(Start, "%m/%d/%y %H:%M:%S") | eval EndTime=strftime(End,"%m/%d/%y %H:%M:%S") | eval string_dur =tostring(round(duration), "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval Duration=replace(formatted_dur, "^d (0h (0m )?)?","") | table Account_Name, StartTime, EndTime, Duration

SplunkTrust
SplunkTrust

This site is the best for working with Windows logs:https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624

🙂

If you are trying to track "sessions" and cannot rely on the presence of a 4624/4634 pair then you can also use "Logon ID" and take the latest timestamp from any EventCode for which the user's Logon ID is present as your logoff time.

The main problem is that you have no idea what your time bucket for building this is...do user sessions last hours, days, weeks...how much data do you need to search to build sessions for users?

I would even question the entire premise of tracking user sessions...assuming you use weekly data sets and can build a semi-decent table of user sessions..then what? It's a hard problem, and it comes up all the time, and sometimes I just wonder...why, what is the actual value?

😄

Cheers...(longtime SIEM detection engineer and lover/hater of Windows Event Logs!)

Explorer

@marycordova: sessions is what we are tracking. It is not a normal network and as such, we are trying to make this work. With that people are largely not logged in more than 24 hours. In fact, that occurrence is pretty rare.

0 Karma

Communicator

If collecting local/RDP logon information will do the job for you, you can capture the Windows logs "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational".

If you're trying to track network logon sessions, I don't envy you. I worked on that for a bit and came to the conclusion we would never get any kind of useful aggregate reporting out of network session information from Windows logs.

SplunkTrust
SplunkTrust

can you use the "logon ID" then if you have a pretty discreet time range to build sessions in?

0 Karma

Explorer

I am using Account_Name but could use Logon_ID. As far as time, 99% of the time, users aren't logged on past 10/12 hours at a time.

0 Karma

Explorer

I've also added more to my original post.

0 Karma

Communicator

Is your ultimate goal to identify when users log on and log off? Are you trying to track interactive logons (local, RDP) only?

I ask because if that's what you're trying to do I think there's a better way. Trying to build an idea of logon/logoff by object access is difficult.

0 Karma

Explorer

Yes. I agree there may be better ways. What I have to work with are those two logs, unfortunately.

0 Karma

Builder

check if the transaction command can assist you on this. if the time events between 4624 and 4633 are closer, you can check if this command can assist you group them by user_id instead.
Check this article for further assistance.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/Abouttransactions

0 Karma

Explorer

Transaction is getting me close but now I am struggling with bucketing only "logon" and "logoff" entry together. Depending on the maxspan value, it may or may not bucket correctly. I've altered my original post with the syntax.

0 Karma

Explorer

Thanks... I will check it out.

0 Karma