Activity Feed
- Got Karma for How to identity logoffs when there isn't always a logoff event. 06-05-2020 12:50 AM
- Posted Re: How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-08-2019 08:47 AM
- Posted Re: How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-08-2019 08:45 AM
- Posted Re: How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-08-2019 08:43 AM
- Posted Re: How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-07-2019 04:15 AM
- Posted Re: How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-07-2019 04:13 AM
- Posted Re: How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-07-2019 04:12 AM
- Posted How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-02-2019 05:20 AM
- Tagged How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-02-2019 05:20 AM
- Tagged How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-02-2019 05:20 AM
- Tagged How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-02-2019 05:20 AM
- Tagged How to identity logoffs when there isn't always a logoff event on Splunk Enterprise Security. 11-02-2019 05:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
11-08-2019
08:47 AM
Transaction is getting me close but now I am struggling with bucketing only "logon" and "logoff" entry together. Depending on the maxspan value, it may or may not bucket correctly. I've altered my original post with the syntax.
... View more
11-08-2019
08:45 AM
I've also added more to my original post.
... View more
11-08-2019
08:43 AM
I am using Account_Name but could use Logon_ID. As far as time, 99% of the time, users aren't logged on past 10/12 hours at a time.
... View more
11-07-2019
04:15 AM
Yes. I agree there may be better ways. What I have to work with are those two logs, unfortunately.
... View more
11-07-2019
04:13 AM
@marycordova: sessions is what we are tracking. It is not a normal network and as such, we are trying to make this work. With that people are largely not logged in more than 24 hours. In fact, that occurrence is pretty rare.
... View more
11-07-2019
04:12 AM
Thanks... I will check it out.
... View more
11-02-2019
05:20 AM
1 Karma
I've been working on a problem that has me stumped.
I have a 4624 and 4633 event that I want to correspond with each other. The 4624 is used to identify logons while we are using 4663 (with a particular Object Name) as a way to signify logoffs. The problem is that there isn’t always a 4663 generated due to the user having to access an item.
What I’d like to do is Identify a 4663 event and then identify the most recent 4624 to tie them together.
The common thing that will be used to tie them together is the Account_Name field.
The closet thing I have working is below.
sourcetype = * ((Message=** AND Accesses= ReadAttributes) OR (Object_Name=)) | transaction Account_Name maxspan=12h | eval start = _time | eval End = _time + duration | eval StartTime=strftime(Start, "%m/%d/%y %H:%M:%S") | eval EndTime=strftime(End,"%m/%d/%y %H:%M:%S") | eval string_dur =tostring(round(duration), "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval Duration=replace(formatted_dur, "^d (0h (0m )?)?","") | table Account_Name, StartTime, EndTime, Duration
... View more
