Splunk Search

User Account Logged On For More Than 12 Hours

websplunk01
Engager

Hi , 
I am trying to figure out how to write a query to create an alert that will alert me whenever a user is logged on to the machine more than 12 hours .
Can you please help me figure this out . Thank you 

Labels (1)
0 Karma

johnhua
Contributor

Try this. Since your environment is small, it should work well -- there's a lot of different corner cases with large complex environments that makes things more complicated.

In addition to logon type 2, and 10, you should include 7 for unlocking a existing session, and 11 for local logins using cached credentials.

As for calculating when a session ends, this is the tricky part. You can look for EventCode 4657 (user initiated logoff), 4779 (terminal/rdp disconnect), and 4800 for locked screen. 

To calculate active sessions with no logoff events, we will rely on orphaned transactions and use the current time to calculate session length.

 

 

 

source=WinEventLog:Security (EventCode=4647 OR EventCode=4779 OR EventCode=4800 OR (EventCode=4624 AND (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11))) earliest=-18h@h
| eval event_type=CASE(EventCode=4624, "logon", EventCode=4779 OR EventCode=4800 OR EventCode=4647, "logoff") | eval user=LOWER(user)
| dedup host user event_type
| transaction host user keeporphans=1 unifyends=1 maxspan=24h maxopentxn=10000 startswith=(event_type=logon) endswith=(event_type=logoff) 
| eval current_status=IF(event_type="logoff", "inactive", "active")
| eval duration_secs=IF(event_type="logoff", duration, now()-_time)
| eval duration_hours=ROUND(duration_secs/3600, 2)
| table _time duration_hours duration_secs host user EventCode Logon_Type event_type current_status
| where duration_hours>12

 

 

 

 

johnhua
Contributor

Having worked through a lot of challenges around calculating windows sessions, it is much complex than that you'll expect.

The sample event that you've provided indicate that the logon type = 3 which is logged when a user access a shared resource of the host remotely (e.g. mapped drive) -- should that be in scope? How about services running as a service account? More info about logon types: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

What is the size of your environment, number of users and host? What is your (screensaver) password inactivity lock policy?  

Give me a better understanding of what you're trying to achieve.

 

0 Karma

websplunk01
Engager

it would be something like : source=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10) , I dont need to log in the service user , at the moment I have 6 machines connected to splunk and I want an alert to be sent when a user is logged in more than 12 hours . 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What events do you have available?

0 Karma

websplunk01
Engager

Security , system and application 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you provide some sample events please?

0 Karma

websplunk01
Engager

01/13/2022 02:12:37 PM LogName=Security EventCode=4624 EventType=0 ComputerName=GWD58EF SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=51488031 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: GWD58EF\admin Account Name: admin Account Domain: GWD58EF Logon ID: 0x1FF978045 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: XTHD09A Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you split this up into separated events, perhaps putting each in a code block </>

0 Karma

websplunk01
Engager
01/14/2022 09:47:17 AM
LogName=Security
EventCode=4624
EventType=0
ComputerName=2R4EHQA
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=166686450
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		2R4EHQA$
	Account Domain:		WGG25TJD3
	Logon ID:		0x3E7

Logon Information:
	Logon Type:		10
	Restricted Admin Mode:	No
	Virtual Account:		No
	Elevated Token:		No

Impersonation Level:		Impersonation

New Logon:
	Security ID:		2R4EHQA\admin
	Account Name:		admin
	Account Domain:		2R4EHQA
	Logon ID:		0x10B4B3F587
	Linked Logon ID:		0x10B4B3F54B
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x914
	Process Name:		C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	SV00001-2R4EHQA
	Source Network Address:	192.168.2.11
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

this is a result of search query : source=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

And which event tells you they have logged off or disconnected?

0 Karma

websplunk01
Engager

thats the thing they didnt logoff , they are still connected . so now -12h 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

But presumably you want to ignore those who have logged off? So, how do you find which those are?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I think that this is the hardest part of this case. Maybe this helps you https://superuser.com/questions/1614690/how-to-find-when-a-user-is-started-and-ended-a-session-on-co...

r. Ismo

0 Karma

websplunk01
Engager

Not sure , I just started with splunk and have little knowledge . that s why I was asking for help .

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Finding things that don't exist is not one of Splunk's strong suits - Splunk is merely a tool to help you analyse your data - knowledge of your data is by far the most important thing to grasp. Having said that, in order to find what is missing, e.g. a log off event, you need to find the log on events and remove all the log on events which do have corresponding log off events, so that you are left with log on events which don't have log off events, bearing in mind that you might well have disconnect events in your data, which might effectively serve the same purpose as log off events (it depends what you have in your data!).

0 Karma

websplunk01
Engager

thats the thing . there is no log off event , the user logs on and we can find out that by the query i shared . The question is how to calculate the time of logging +12 hours thats where I needed help . but I think I found some queries in https://gosplunk.com/ that will help me find out a way , thank you 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| eval plus12h=relative_time(_time,"+12h")
0 Karma

websplunk01
Engager

I will , Thank you 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!