How to search for accounts where users (ex: Active...

Iggy66 · ‎05-03-2016

Forgive me for this question, but I am new with Splunk.

We are looking to see if we can use Splunk to locate accounts (Active Directory for example) where there are multiple simultaneous logins. For example, we want to know if JSMITH is logged in twice (or more) at the same time. Since we prohibit that, we want to report on it. Any ideas how we can do this and yet minimize false positives?

Thanks!

rbittner_splunk · ‎05-04-2016

Are you running Splunk, or Splunk Light? Splunk Light doesn't support the App for Windows infrastructure (codifies these types of questions) but you can still use a basic search to do this.

There are couple of answers that address similar questions:
https://answers.splunk.com/answers/5928/search-query-for-multiple-login-done-by-more-than-one-pc.htm...
https://answers.splunk.com/answers/301152/how-to-search-a-list-of-users-that-have-logged-in.html

Hope this helps.

sundareshr · ‎05-03-2016

Have you looked at Splunk App for Windows Infrastructure app? https://splunkbase.splunk.com/app/1680/

Iggy66 · ‎05-03-2016

Many thanks- I have not yet, but will check this out.

How to search for accounts where users (ex: Active Directory) that are logged in two or more times at the same time?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!