Has anyone tried monitoring and searching interact...

jhillenburg · ‎01-27-2015

Hi. Splunk makes it pretty easy to identify logon/logoff events. However, what I'm really interested in right now are interactive events -- ie. someone who is logging directly into a system using the console or RDP, rather than logon events that are initiated by a service starting or someone unlocking their system. Has anyone tried this before?

Thanks.

gcusello · ‎01-16-2017

Hi jhillenburg,
You could use the Logon_Type field:

2,Interactive Access 3,Network Access
4,Script Access 5,Servirce Access
7,Interactive Accessfrom Blocked Console
10,Terminal Services Access
11,Interactive Access with cached credentials

Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.

Bye.
Giuseppe

hochit · ‎01-16-2017

I'm looking for a solution of this as well. Seems app for windows infra doesn't provide this.
Seems we can archive it by PowerShell.
I haven't started yet, just begin with thought exchange. What do you think?

https://gallery.technet.microsoft.com/scriptcenter/Get-LoggedOnUser-Gathers-7cbe93ea

Has anyone tried monitoring and searching interactive Windows Active Directory logon events?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio