Dashboards & Visualizations

Advises how to build a dashboard that shows the user activity on the windows data

test_qweqwe
Builder

Hi there my little friends.

I want to realize a use case that will show me a user online activity. For example, I have log in/log out data with timestamp.
How best to build a search logic?

First of all, I want to see a general picture of user online, to understand his behavior and then determine an anomaly (the user logged on to his workstation at a time other than business time)

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
For login and logout, it isn't so easy on Windows (in Linux it's easier!) because each access to domain generates 10-12 login events (EventCode 4624) and more or less the same logout events (EventCode 4634).
This means that you have to correlate many events to understand the real login and logout.
You can easily know the logged in users creating a script that uses a Windows CLI command " query user " and using it in a scripted input.

About user's activity, you have to see in your Windows or applications logs which information you have: it depends on many factors (e.g. if you enabled file audit you can trace the accesses to files and folders, but it consumes Splunk license and Servers' resources).

In other words, you have to define exactly what you need (monitoring perimeter) and then see where to find (if you have) logs to do this, then you can think how to do this in Splunk (normally it's the easiest part of the work!).

I hope I didn't discourage you too much!
A useful help could arrive from the Splunk App for Windows infrastructure that gives information from Windows Servers, but it doesn't give you a user's activity monitoring.
In addition, I don't know your nationality and your regulations, but in Italy it's forbidden by the low monitoring users' activity (for privacy reasons)!

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
For login and logout, it isn't so easy on Windows (in Linux it's easier!) because each access to domain generates 10-12 login events (EventCode 4624) and more or less the same logout events (EventCode 4634).
This means that you have to correlate many events to understand the real login and logout.
You can easily know the logged in users creating a script that uses a Windows CLI command " query user " and using it in a scripted input.

About user's activity, you have to see in your Windows or applications logs which information you have: it depends on many factors (e.g. if you enabled file audit you can trace the accesses to files and folders, but it consumes Splunk license and Servers' resources).

In other words, you have to define exactly what you need (monitoring perimeter) and then see where to find (if you have) logs to do this, then you can think how to do this in Splunk (normally it's the easiest part of the work!).

I hope I didn't discourage you too much!
A useful help could arrive from the Splunk App for Windows infrastructure that gives information from Windows Servers, but it doesn't give you a user's activity monitoring.
In addition, I don't know your nationality and your regulations, but in Italy it's forbidden by the low monitoring users' activity (for privacy reasons)!

Ciao.
Giuseppe

test_qweqwe
Builder

Yes, I have noticed that I have a lot of events, and it forced me to ask a question on the forum 😄
No, we don't have such regulations. It's allowed in my country and in the company (in case, if there's a suspicion that a person is causing damage to the company, an evil insider). But, I'm talk about his activity on the corporate resources, not his privacy life. If a person starts to break a policy, we need to do an investigation and collect statistic data (his activity). It's the same if you use your RFID-card to open the doors and your data: when you opened door, when you came to the work - all of this is stored in DB. And in the event of an incident where you were involved, this database is being reviewed (your activity being reviewed).
Or I'm talking about different cases and that's not what you meant by that?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi test_qweqwe,
in Italy it's different, it's possible to invetigate on a people's working activities only in policy investigations!

Anyway, you could correlate more events at first deduping events with the same user, host and timestamp; then you could use transaction command correlating events with the same user and host that starts with EventCode=4624, and ends with EventCode=4634,
Try something like this:

<your_search>
| dedup user host _time
| transaction user host startswith="EventCode=4624" endswith="EventCode=4634"
| ...

But you have to analize your results to check if you have to limit you transaction e.g. for a time period (e.g. maxspan=2h or a different value).

Ciao.
Giuseppe

0 Karma

test_qweqwe
Builder

Thanks for your Splunk search, I used it in my research!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...