Splunk Search

How to find an active user session on different machines at the same time?

guimilare
Communicator

Hello Splunkers.

Using the wineventlog I can tell when a user logged on and off based on EventCodes 4624 and 4634 and the logon id:

Logon:

03/09/2017 11:54:51 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxxxxxxxx
TaskCategory=Logon
OpCode=Info
RecordNumber=xxxxx
Keywords=Audit Success
Message=An account was successfully logged on.
...
New Logon:
Security ID:        XXX\visit
Account Name:       visit
Account Domain:     XXX
Logon ID:       0xA2207D111

Logoff

03/09/2017 12:11:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=xxxxxx
TaskCategory=Logoff
OpCode=Info
RecordNumber=xxxxxx
Keywords=Audit Success
Message=An account was logged off.

Subject:
    Security ID:        XXX\visit
    Account Name:       visit
    Account Domain:     XXX
    Logon ID:       0xA2207D111

However, I need to know when exists the same Account Name using two machines, I mean, when there are two sessions active at the same time.

Any ideas how can I do this?

Regards,
GMA

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

... | streamstats current=f last(EventCode) AS nextEventCode BY user
| reverse
| streamstats current=f last(EventCode) AS prevEventCode BY user
| reverse
| search (EventCode=4624 AND prevEventCode=4624) OR (EventCode=4624 AND nextEventCode=4624)

This shows you any time any user has 2 logins (4624) without a logout between them (4634). This is a HUGE shortcut.

0 Karma

woodcock
Esteemed Legend
0 Karma

guimilare
Communicator

I tried this:

index="myindex_wineventlog" user=visit (EventCode=4624 OR EventCode=4634) | rex field=_raw .*(?<tr_id>0x\w{9}) | transaction tr_id | concurrency duration=duration

However, this search brings the durations of the sessions, and not the sessions that overlaps...

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...