Forgive me for this question, but I am new with Splunk.
We are looking to see if we can use Splunk to locate accounts (Active Directory for example) where there are multiple simultaneous logins. For example, we want to know if JSMITH is logged in twice (or more) at the same time. Since we prohibit that, we want to report on it. Any ideas how we can do this and yet minimize false positives?
Thanks!
Are you running Splunk, or Splunk Light? Splunk Light doesn't support the App for Windows infrastructure (codifies these types of questions) but you can still use a basic search to do this.
There are couple of answers that address similar questions:
https://answers.splunk.com/answers/5928/search-query-for-multiple-login-done-by-more-than-one-pc.htm...
https://answers.splunk.com/answers/301152/how-to-search-a-list-of-users-that-have-logged-in.html
Hope this helps.
Have you looked at Splunk App for Windows Infrastructure app? https://splunkbase.splunk.com/app/1680/
Many thanks- I have not yet, but will check this out.