Remote Work Insight Executive Dashboard 2. #Admin Edit (fixed sourcetype and changed it to source…queries should work again). What's In This Guide Qualities of an Effective Splunk Dashboard 15 Best Splunk Dashboard Examples 1. Source=WinEventLog:Security (EventCode=528 OR EventCode=538) (Logon_Type=2 OR Logon_Type=10) | eval Date=strftime(_time, "%Y/%m/%d") | eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host User startswith=EventCode=528 endswith=EventCode=538 | where duration > 5 | eval duration = duration/60 | eval duration=round(duration,2)| table host, User, LogonType, duration, Date | rename duration as "Session Duration in Minutes" | sort - date
Source=WinEventLog:Security (EventCode=4624 OR EventCode=4634) (Logon_Type=2 OR Logon_Type=10) | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 endswith=EventCode=4634 | where duration > 5 | eval duration = duration/60 | eval duration=round(duration,2)| table host, user, LogonType duration, Date | rename duration as "Session Duration in Minutes" | sort - date transactionI have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). The event timestamp, in the time field, is used to calculate the event hour (eventHour) and event minute (eventMin). Security orchestration, automation and response to supercharge your SOC. One modern, unified work surface for threat detection, investigation and response. The following query will return the duration of user logon time between initial logon and logoff events. You use the now () function to calculate the current hour (curHour) and current minute (curMin). Analytics-driven SIEM to quickly detect and respond to threats.
0 kommentar(er)
