Try this. Since your environment is small, it should work well -- there's a lot of different corner cases with large complex environments that makes things more complicated. In addition to logon type 2, and 10, you should include 7 for unlocking a existing session, and 11 for local logins using cached credentials. As for calculating when a session ends, this is the tricky part. You can look for EventCode 4657 (user initiated logoff), 4779 (terminal/rdp disconnect), and 4800 for locked screen. To calculate active sessions with no logoff events, we will rely on orphaned transactions and use the current time to calculate session length. source=WinEventLog:Security (EventCode=4647 OR EventCode=4779 OR EventCode=4800 OR (EventCode=4624 AND (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11))) earliest=-18h@h
| eval event_type=CASE(EventCode=4624, "logon", EventCode=4779 OR EventCode=4800 OR EventCode=4647, "logoff") | eval user=LOWER(user)
| dedup host user event_type
| transaction host user keeporphans=1 unifyends=1 maxspan=24h maxopentxn=10000 startswith=(event_type=logon) endswith=(event_type=logoff)
| eval current_status=IF(event_type="logoff", "inactive", "active")
| eval duration_secs=IF(event_type="logoff", duration, now()-_time)
| eval duration_hours=ROUND(duration_secs/3600, 2)
| table _time duration_hours duration_secs host user EventCode Logon_Type event_type current_status
| where duration_hours>12
... View more
