Has anyone tried monitoring and searching interact...

jhillenburg · ‎01-27-2015

Hi. Splunk makes it pretty easy to identify logon/logoff events. However, what I'm really interested in right now are interactive events -- ie. someone who is logging directly into a system using the console or RDP, rather than logon events that are initiated by a service starting or someone unlocking their system. Has anyone tried this before?

Thanks.

gcusello · ‎01-16-2017

Hi jhillenburg,
You could use the Logon_Type field:

2,Interactive Access 3,Network Access
4,Script Access 5,Servirce Access
7,Interactive Accessfrom Blocked Console
10,Terminal Services Access
11,Interactive Access with cached credentials

Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.

Bye.
Giuseppe

hochit · ‎01-16-2017

I'm looking for a solution of this as well. Seems app for windows infra doesn't provide this.
Seems we can archive it by PowerShell.
I haven't started yet, just begin with thought exchange. What do you think?

https://gallery.technet.microsoft.com/scriptcenter/Get-LoggedOnUser-Gathers-7cbe93ea

Has anyone tried monitoring and searching interactive Windows Active Directory logon events?

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel