Splunk Search

Detecting Simultaneous Sessions

Warme1980
Engager

I have an inhouse written app that outputs an audit log in the form of:

DateTime,Username,Activity,SessionID

So I'll get:

01:01:01,Fred001,Logon,001
01:01:02,Fred001,TakeOverWorld,001
01:01:03,Fred001,Logon,002
01:01:04,Fred001,Logoff,001
01:01:05,Fred001,DestroyWorld,002
01:01:06,Fred001,Logoff,002

Now obviously, aside from taking over the world (which is not against our policies) Fred has shared his password (which is) with someone who destroyed the world (also not explicitly against our policy).

So we need to talk to Fred about his blatant disregard of the simultaneous logon policy.

How do I construct a Splunk query to catch him?

Thanks!

sundareshr
Legend
0 Karma

Warme1980
Engager

Hrm, that might be the thread I need to start tugging on to get to a solution, thanks!

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...