I am trying to set up an alert in Splunk that will email a user whenever their Windows session is X days old. It would be across multiple hosts/users and use the security event log to determine if there hasn't been a 4647 or 1074 event since their 4624 logon event.
Has anyone set up something similar?
Thanks in advance!